NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

pkellum's avatar
pkellum
Aspirant
Jan 09, 2026

Why is my Netgear router trying to hack my NAS?

I had this happen with another Netgear router and returned it and got another, but same thing.  The router is constantly trying to log into my Synology NAS using usernames like "user" and "admin".  I...
rs200
StephenB's avatar
StephenB
Guru - Experienced User
Jan 10, 2026
pkellum wrote:


"The IP address [192.168.1.1] experienced 10 failed attempts when attempting to log in to SSH running on Synology418play within 5 minutes and was blocked..."

The usernames it is using to try and get into my NAS with are ones like "vagrant", "root", "mysql", and "andy" 

 

What model router are you using, and what firmware is it running?

 

Are you seeing any attempts to log into other devices on your network?

 

Is Armor enabled on the router?

pkellum's avatar
pkellum
Aspirant
Jan 10, 2026

Nighthawk Tri-Band WiFi 7 model RS280S.  Firmware: 1.0.5.22.  I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those.  Everything is defaults and it looks like Armor was enabled when I set up the router.  

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Jan 11, 2026
    pkellum wrote:

    I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those. 

     

    The first step in establishing an SSH (or SCP) session would be opening up a TCP connection. Which can't - unless some kind of SSH service listener is enabled on your NAS, waiting for a connection, including the possible vulnerability checking.

     

    Test with something like this to check if there is some listener on port 22 active on your NAS: 

     

    netstat -an | grep 22

     

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Jan 11, 2026
      schumaku wrote:

      unless some kind of SSH service listener is enabled on your NAS, waiting for a connection,

      pkellum​:  Synology NAS do have intrusion detection, and I think it is being triggered by Armor's device scan. See this post (from 2022):

      So begin by disabling Armor, and see if the problem stops.

       

      schumaku​:  Note per this post, the intrusion detection on the Synology is enabled even if ssh is not enabled.

       

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Jan 11, 2026

        Intrusion detection is active for any service active on the Syno (or QNAP, or Asustor, ...) offering or requiring authentication. In this post is -must- be active, despite the OP claims SSH insists only enabled on devices requiring it - however, SSH access attempts are logged.

         

         

         

         

         

         

        pkellum wrote:

        "The IP address [192.168.1.1] experienced 10 failed attempts when attempting to log in to SSH running on Synology418play within 5 minutes and was blocked..."

         

        ...as per the initial post.  8-)

         

        pkellum wrote:

        Nighthawk Tri-Band WiFi 7 model RS280S.  Firmware: 1.0.5.22.  I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those. 

         

        Have spotted the point in the old thread StephenB​  referred. Love to fight variable targets...

         

        Like the other post starter who can't understand, what is going on. Something to challenge Synology in case. Remains the curiosity, how are there ssh packets reaching the NAS (behind of the NAT router on the LAN), and on which port

         

        I hope for Netgear the have not carried forward their old iptables NAT implementation bugs and errors to this decent router model.