Diskstation DS211 waking up a lot.

All questions regarding system hibneration may be placed here. Thanks!
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

Diskstation DS211 waking up a lot.

Postby mooker » Sun Apr 08, 2012 6:51 pm

My DS211 is waking up every 10 to 30 minutes even when I am not accessing it. Here is the log of what is happening and a lot of these IP addresses are from outside the US. What would cause all this to occur? I use DynDNS, could this be causing the problem? Also, what is port 445 used for? Could I fix the problem by blocking that port? Any help would be appreciated as I am not tech savvy with this type of stuff.

Log:
[LAN access from remote] from 50.27.194.90:1061 to 192.168.1.5:445, Sunday, April 08,2012 08:51:26
[LAN access from remote] from 182.9.177.230:3001 to 192.168.1.5:445, Sunday, April 08,2012 08:51:15
[LAN access from remote] from 109.96.248.107:1180 to 192.168.1.5:445, Sunday, April 08,2012 08:46:15
[LAN access from remote] from 89.178.35.35:1115 to 192.168.1.5:445, Sunday, April 08,2012 08:36:16
[LAN access from remote] from 222.76.250.4:1668 to 192.168.1.5:445, Sunday, April 08,2012 08:32:10
[LAN access from remote] from 24.104.156.14:31550 to 192.168.1.5:445, Sunday, April 08,2012 07:59:57
[LAN access from remote] from 76.0.203.182:2933 to 192.168.1.5:445, Sunday, April 08,2012 07:41:48
[LAN access from remote] from 65.163.244.214:2821 to 192.168.1.5:445, Sunday, April 08,2012 07:34:16
[LAN access from remote] from 188.18.87.207:1891 to 192.168.1.5:445, Sunday, April 08,2012 07:32:56
[LAN access from remote] from 60.190.152.22:24737 to 192.168.1.5:445, Sunday, April 08,2012 07:22:42
[LAN access from remote] from 85.122.5.224:48219 to 192.168.1.5:445, Sunday, April 08,2012 07:20:30
[LAN access from remote] from 221.207.61.74:49402 to 192.168.1.5:80, Sunday, April 08,2012 06:58:32
[LAN access from remote] from 200.162.43.6:3661 to 192.168.1.5:445, Sunday, April 08,2012 06:32:15
[LAN access from remote] from 78.63.240.83:1575 to 192.168.1.5:445, Sunday, April 08,2012 05:50:50
[LAN access from remote] from 8.3.161.214:56065 to 192.168.1.9:27161, Sunday, April 08,2012 05:48:02
[LAN access from remote] from 31.14.220.195:3417 to 192.168.1.5:445, Sunday, April 08,2012 05:37:36
[LAN access from remote] from 84.2.195.143:3376 to 192.168.1.5:445, Sunday, April 08,2012 05:27:58
[LAN access from remote] from 114.40.184.28:3871 to 192.168.1.5:445, Sunday, April 08,2012 05:26:56
[LAN access from remote] from 176.241.229.45:2118 to 192.168.1.5:445, Sunday, April 08,2012 05:26:27
[LAN access from remote] from 109.169.73.167:2744 to 192.168.1.5:445, Sunday, April 08,2012 05:00:59
[LAN access from remote] from 221.207.61.74:49402 to 192.168.1.5:80, Sunday, April 08,2012 04:53:23
[LAN access from remote] from 80.253.62.24:3985 to 192.168.1.5:445, Sunday, April 08,2012 04:47:44
[LAN access from remote] from 70.17.254.34:2843 to 192.168.1.5:445, Sunday, April 08,2012 04:46:35
[LAN access from remote] from 211.76.78.175:4616 to 192.168.1.5:445, Sunday, April 08,2012 04:30:35
[LAN access from remote] from 212.160.237.231:4150 to 192.168.1.5:445, Sunday, April 08,2012 04:14:48
[LAN access from remote] from 118.232.62.44:2157 to 192.168.1.5:445, Sunday, April 08,2012 04:11:51
[LAN access from remote] from 202.162.221.229:2194 to 192.168.1.5:445, Sunday, April 08,2012 04:10:04
[LAN access from remote] from 206.223.246.146:2676 to 192.168.1.5:445, Sunday, April 08,2012 04:08:59
[LAN access from remote] from 111.249.16.85:3465 to 192.168.1.5:445, Sunday, April 08,2012 04:08:36
[LAN access from remote] from 186.240.36.199:4048 to 192.168.1.5:445, Sunday, April 08,2012 03:56:42
[LAN access from remote] from 78.84.182.135:2926 to 192.168.1.5:445, Sunday, April 08,2012 03:33:00
[LAN access from remote] from 221.207.61.74:49402 to 192.168.1.5:80, Sunday, April 08,2012 03:28:04
[LAN access from remote] from 94.52.83.132:3787 to 192.168.1.5:445, Sunday, April 08,2012 03:19:28
[LAN access from remote] from 213.250.216.116:2970 to 192.168.1.5:445, Sunday, April 08,2012 03:13:34
[LAN access from remote] from 84.3.86.2:2765 to 192.168.1.5:445, Sunday, April 08,2012 03:09:08
[LAN access from remote] from 71.42.206.66:51334 to 192.168.1.5:445, Sunday, April 08,2012 03:04:21
[LAN access from remote] from 111.250.48.85:2637 to 192.168.1.5:445, Sunday, April 08,2012 02:51:39
[LAN access from remote] from 66.115.85.147:2247 to 192.168.1.5:445, Sunday, April 08,2012 02:33:23
[LAN access from remote] from 77.35.210.117:3249 to 192.168.1.5:445, Sunday, April 08,2012 02:33:03
[LAN access from remote] from 211.74.78.12:4460 to 192.168.1.5:445, Sunday, April 08,2012 02:26:34
[LAN access from remote] from 188.143.70.40:4206 to 192.168.1.5:445, Sunday, April 08,2012 02:26:12
[LAN access from remote] from 86.63.100.200:3118 to 192.168.1.5:445, Sunday, April 08,2012 02:08:10
[LAN access from remote] from 168.96.200.3:3762 to 192.168.1.5:445, Sunday, April 08,2012 02:05:48
[LAN access from remote] from 78.48.12.15:2842 to 192.168.1.5:445, Sunday, April 08,2012 01:58:12
[LAN access from remote] from 88.179.114.164:3500 to 192.168.1.5:445, Sunday, April 08,2012 01:55:20
[LAN access from remote] from 188.173.102.51:3248 to 192.168.1.5:445, Sunday, April 08,2012 01:52:15
[LAN access from remote] from 46.49.111.228:4681 to 192.168.1.5:445, Sunday, April 08,2012 01:50:57
[LAN access from remote] from 184.106.77.103:1404 to 192.168.1.5:445, Sunday, April 08,2012 01:47:27
[LAN access from remote] from 27.69.100.72:1661 to 192.168.1.5:445, Sunday, April 08,2012 01:46:49
[LAN access from remote] from 159.224.28.227:3053 to 192.168.1.5:445, Sunday, April 08,2012 01:39:38
[LAN access from remote] from 31.171.52.45:1582 to 192.168.1.5:445, Sunday, April 08,2012 01:38:30
[LAN access from remote] from 219.136.206.12:27443 to 192.168.1.5:445, Sunday, April 08,2012 01:08:00
[LAN access from remote] from 77.113.38.66:1835 to 192.168.1.5:445, Sunday, April 08,2012 01:07:36
[LAN access from remote] from 89.46.183.49:3955 to 192.168.1.5:445, Sunday, April 08,2012 00:55:14
[LAN access from remote] from 221.207.61.74:49402 to 192.168.1.5:80, Sunday, April 08,2012 00:52:14
mooker
I'm New!
I'm New!
 
Posts: 2
Joined: Sun Apr 08, 2012 6:35 pm

Re: Diskstation DS211 waking up a lot.

Postby maxxfi » Mon Apr 09, 2012 8:30 am

mooker wrote: Also, what is port 445 used for?


Uh, oh... it's better you close all access from remote for the time being!
Port 445 (tcp) is access to Windows File Sharing
http://www.linklogger.com/TCP445Scan3.htm

After that, start your forensic work:
- check any logs that are enabled on the Synology
- run antivirus/antimalware on the archive
- inspect any directory for unusual content

Then, let's have a look at what ports you should open to outside world, and which ones should be instead bolted shut :)
DS-411 (DSM 4.3-3827u5) w/ 2x WD20EFRX + 1x WD10EFRX
DS-106j (DSM 3.0-1357), PATA-to-SATA adapter, 2.5" HM250HI
User avatar
maxxfi
Programmer
Programmer
 
Posts: 5682
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: Diskstation DS211 waking up a lot.

Postby mooker » Mon Apr 09, 2012 4:20 pm

I set up the firewall to reject all ports except those necessary for me to manage the device. I looked at the files and nothing is out of the ordinary. I am running a full virus scan now. I have not read through the logs yet, but I will and will let you know what I find. Is there a better place to get a dynamic DNS than DynDNS? I'm sure these people just put in random addresses for urls from DynDNS and just start attacking. Is there a better way to route to my DS211 without putting it at risk? Thank you for your help! I immediately blocked port 445 and access dropped significantly. Still having hits on port 443 and others, but not nearly as often. Can they get to my DS without a username and password if I have the guest account turned off? My firewall on the DS is now on with just a few ports open to access the web interface.
mooker
I'm New!
I'm New!
 
Posts: 2
Joined: Sun Apr 08, 2012 6:35 pm

Re: Diskstation DS211 waking up a lot.

Postby myCloud » Sun Apr 15, 2012 4:13 pm

This why when I go to run a web server or a mail server, I'll get a 1-bay DS, put it in the DMZ between the UVERSE router and the AirPort Extreme router, and forward the appropriate ports to the 1-bay on the UVERSE router.

Getting to your situation. The default port for DSM is 5000, that for uPnP, certain to be included in scans. As a minimum, I'd add HTTPS on 5001 and auto-redirect to that, as well as change the port forwarding on the router from 5000->5000 and 5001->5001 to something like 22050->5000 and 22051 -> 5001 (rarely scanned high numbered ports) and use those when you're outside your network.
DS 1512+ w/3GB, 5 x 3TB Seagate ST3000DM001 8.2TB RAID 6, half files/half Time Machine.
Icy Dock MB559U3S-1SB enclosure w/4TB Hitachi UltraStar via USB 3 for files backup
UVERSE to AirPort Extreme + 2 AirPort Express w/speakers. TRENDnet TV-IP312WN camera
CyberPower CP1500PFCLCD Sine Wave UPS
DSM 4.1-2661 w/SSH + SFTP, VPN Server, Syslog Server, Media Server, Mail Server, Mail Station,
Audio Station, Surveillance Station, Photo Station, Web Station - DS Apps on iPad & iPod Touch.
User avatar
myCloud
Skilled
Skilled
 
Posts: 648
Joined: Fri Mar 23, 2012 11:28 am


Return to Hibernation Room

Who is online

Users browsing this forum: No registered users and 2 guests