NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Why is my Netgear router trying to hack my NAS?
I had this happen with another Netgear router and returned it and got another, but same thing. The router is constantly trying to log into my Synology NAS using usernames like "user" and "admin". I...
The wonderful effects when some devices on the LAN are allowed to configure NAT port forwarding by UPnP. Beyond of what StephenB asked before, allow some more questions:
Or do you have intentionally configured a port forwarding for ssh (Port 22/tcp) on the router?
Does your router show the public IP address on the WAN port (Internet side), or is there another device like an Internet provider router doing NAT in front of the unspecified Netgear router - this is the typical dual NAT issue....
The router has no port forwarding set up at all so far, it's still at the defaults except for passwords. The router shows NAT forwarding as secured. I still don't understand how that would cause the router to try attempting to access my devices through SSH. This didn't happen with my ASUS router.
The router has no port forwarding set up at all so far,
is UPNP enabled?
it looks like Armor was enabled when I set up the router
I believe it does penetration testing, which would explain the symptoms. So try disabling it.
pkellum wrote:
The router has no port forwarding set up at all so far,
is UPNP enabled?...the question applies to both the router as well as the NAS. Certainly enabled is by default. and of course any kind of NAS (Syno, QNAP, ....) don't hesitate making use of it. In case you have some Syno Apps active where just one requests UPnP port forwarding...
The router shows NAT forwarding as secured
Seriously, what wonders do you expect from a Consumer Class Router please?
pkellum any modern NAS operating system does have some click and pray controls to make the UPnP port forwardings visible.
Does your router show any kind of a real routable or carrier class NAT IPv4 address on the WAN / Internet side? In case it is 192.168.1.1 double NAT is very likely, and there are two routers in line to the Internet.
Or is 192.168.1.1 for sure the LAN IP address? Not the first time (and I'm helping NAS users for about two decades ....) the NAT IP tables are configured wrong or strange, showing a connection from the router on it's LAN IP address.
To view the UPnP port forwarding rules currently active on your Synology NAS (DiskStation Manager or DSM), follow these steps in the web interface:
- Log into your Synology DSM interface as an administrator.
- Open the Control Panel.
- Go to External Access.
- Select the Router Configuration tab.
- Here you will see a list of services and the corresponding external ports that have been opened, either manually or automatically via UPnP. The list will specify the Private IP, Public port, Private port (e.g., 22), and Protocol
There was a longer thread (from what I find looking briefly no conclusion it's really Netgear Armor (or Bitdefender) doing active vulnerability testing ->
Failed logins to my QNAP NAS from my Netgear BE9200 | NETGEAR Communities
Said that: No matter which NAS brand, only enable SSH on your NAS(es) if you really require this for your daily operations.
I'm curious: If you SSH from an external system to your router public IP address, and type in random (identifiable) usernames: Will the NAS show these again as connections from the router or from the originating system public IPv4 address? No, don't do it direct from your Internet connection, the loopback NAT address might suffer from the same common issue on IP table config on consumer routers ...
To me, all these cases look much more like your NAS (through the router) has indeed exposed 22/tcp and the NAS ssh service to the wild Internet to script kiddies (and professional data collectors) trying out ...
