All Credit to copyleft from oscam.to
QuoteDisplay MoreHi all,
In this tutorial I will
I - give you some usefull init scripts, to make an easy start/stop/restart and check of a Oscam instance.
II - show you how you can run and easily manage multiple Oscam instances on the same host.
this is usefull if for example you have multiple cards on your system and you want to use
different load_balancing modes for each card or bunch of same cards.
or for better performance instead of overloading one running oscam instance you run two or more instances.
III - show you how to harden and increase security of Oscam when running as server that is exposed to the Internet.
this is usefull to not get hacked.
Copyright:
All presented information and code is released under the terms of the GPL-v3 licence
PART I
Prerequisits:
I assume you have compiled/downloaded Oscam so you got 2 binaries, "oscam" and "list_smargo"
Installation:
as user "root" you do:
sudo su -
mkdir -p /opt/oscam/{bin,conf,init}
cp oscam /opt/oscam/bin/oscam_svn_v1.23_build1234
chmod +x /opt/oscam/bin/oscam_svn_v1.23_build1234
ln -s /opt/oscam/bin/oscam_svn_v1.23_build1234 /opt/oscam/bin/oscam.bin
cp list_smargo /opt/oscam/bin/list_smargo_svn_v1.23_build1234
chmod +x /opt/oscam/bin/list_smargo_svn_v1.23_build1234
ln -s /opt/oscam/bin/list_smargo_svn_v1.23_build1234 /opt/oscam/bin/list_smargo
Creation of an Oscam instance:
Now I will create my first instance and I call it "hotbabe1"
I place my config files (oscam.conf, oscam.server, oscam.user ...) for Oscam instance "hotbabe1" into "/opt/oscam/conf/hotbabe1"
Now I create the init script for Oscam instance "hotbabe1"
Now copy the following code into "/opt/oscam/init/oscam.hotbabe1"
#!/bin/bash
#
OSCAM_BIN_DIR="/opt/oscam/bin"
OSCAM_LOG_DIR="/opt/oscam/log"
OSCAM_TMP_DIR="/opt/oscam/tmp"
RUNASUSER="root"
OSCAM_BIN="oscam.bin"
DEVNULL="/dev/null"
OSCAM_CONF_DIR="/opt/oscam/conf/hotbabe1"
PROCESSNAME="oscam.hotbabe1"
NICELEVEL="-15"
#
check_oscam( ){
ps aux|grep -v grep|grep -q "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR "
}
#
start_oscam( ){
sudo -u "$RUNASUSER" sh -c ""$OSCAM_BIN_DIR"/"$OSCAM_BIN" -c "$OSCAM_CONF_DIR" -t "$OSCAM_TMP_DIR" -b -d 1 -r 2"
for i in $(ps aux|grep -v grep|grep "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR "|awk '{ print $2 }'); do
renice -n $NICELEVEL $i > "$DEVNULL" 2>&1
done
}
#
kill_oscam( ){
for i in $(ps aux|grep -v grep|grep "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR "|awk '{ print $2 }'); do
kill -9 $i > "$DEVNULL" 2>&1
done
}
#
check_log_tmp_dir( ){
[ -d '$OSCAM_LOG_DIR' ] || mkdir -p "$OSCAM_LOG_DIR"
[ -d '$OSCAM_TMP_DIR' ] || mkdir -p "$OSCAM_TMP_DIR"
if [ $RUNASUSER != 'root' ] ; then
[ $(ls -dl '$OSCAM_LOG_DIR'|awk '{print $3}') == '$RUNASUSER' ] || chown -R "$RUNASUSER":"$RUNASUSER" "$OSCAM_LOG_DIR"
[ $(ls -dl '$OSCAM_TMP_DIR'|awk '{print $3}') == '$RUNASUSER' ] || chown -R "$RUNASUSER":"$RUNASUSER" "$OSCAM_TMP_DIR"
fi
}
#
check_log_tmp_dir
case "$1" in
start)
check_oscam && echo "$PROCESSNAME allready running. Exiting!" && exit 1
echo "starting $PROCESSNAME!"
start_oscam
sleep 0.1
check_oscam && echo "$PROCESSNAME started successfully!" && exit 0
echo "Failed to start $PROCESSNAME. Exiting!" && exit 1
;;
stop)
! check_oscam && echo "$PROCESSNAME allready stopped!" && exit 1
echo "shutting down $PROCESSNAME!"
kill_oscam
sleep 0.1
! check_oscam && echo "$PROCESSNAME shutdown successfully!" && exit 0
echo "Failed to stop $PROCESSNAME. Exiting!" && exit 1
;;
restart)
! check_oscam && echo "$PROCESSNAME allready stopped!" && exit 1
echo "restarting $PROCESSNAME!"
kill_oscam
sleep 0.1
check_oscam && echo "Failed to stop $PROCESSNAME. Exiting!" && exit 1
start_oscam
sleep 0.1
check_oscam && echo "$PROCESSNAME restarted successfully!" && exit 0
echo "Failed to restart $PROCESSNAME. Exiting!" && exit 1
;;
status)
check_oscam && echo "$PROCESSNAME is running!" && exit 0
echo "$PROCESSNAME is stopped!" && exit 1
;;
*)
N="/etc/init.d/$PROCESSNAME"
echo "Usage: "$N" {start|stop|restart|status}" >&2
exit 1
;;
esac
#
exit 0
Display More
Install the sript with:
Now you should be able to "start/stop/restart/status" your very "hotbabe1" Oscam instance
Just run:
service oscam.hotbabe1 status
service oscam.hotbabe1 stop
service oscam.hotbabe1 start
service oscam.hotbabe1 restart
Now for every additional Oscam instance we choose a different name e.g. "hotbabe2" and repeat the steps in "Creation of an Oscam instance:",
and change the variables "OSCAM_CONF_DIR" and "PROCESSNAME" in the start script of the new instance.
Note that you have to choose a different port/ports for every new instance in the "oscam.conf" when running multile instances!
PART II
Now once you have lots of running instances and hopefully lots of RAM :)
you need to manage them all easily. Thus we need a master Oscam init script.
I call it "oscam"
touch /opt/oscam/init/oscam
chmod +x /opt/oscam/init/oscam
ln -s /opt/oscam/init/oscam /etc/init.d/
Copy the following code into "/opt/oscam/init/oscam"
#!/bin/bash
#
case "$1" in
start)
for i in /etc/init.d/oscam.*; do $i start; done
;;
stop)
for i in /etc/init.d/oscam.*; do $i stop; done
;;
restart)
for i in /etc/init.d/oscam.*; do $i restart; done
;;
status)
for i in /etc/init.d/oscam.*; do $i status; done
;;
*)
N="/etc/init.d/oscam"
echo "Usage: "$N" {start|stop|restart|status}" >&2
exit 1
;;
esac
exit 0
Display More
Now you can manage all of your Oscam instances by running:
PART III
First I will go through hardening Oscam on GNU-Linux OS level.
As you can see I use a "RUNASUSER" variable in the init script of the oscam instance.
When using oscam as a card reader we set it to run as root, as we need root privileges to write to the USB-device file of the card reader.
Another aproach would be writing a udev-rule to change the owner/permissions of the device file when it is created.
E.g. find out what device class does your reader belong to under GNU-Linux ... write an udev rule .... and then set the "RUNASUSER" variable to an unpriviliged user.
But when using Oscam as a proxy or as a frontend server to other (not trusted internet) clients, then hardening comes into play.
So these are the steps to harden your Oscam server.
Now we just set "RUNASUSER" to oscam e.g. RUNASUSER="oscam" in the oscam instance init script and restart oscam.
Now oscam is running as a non priviliged user with no shell and no home directory.
There are no performance issues with this setup.
By doing so it is hard to break in into your system now.
Now we need to harden Oscam and protect your cards on CS level. To do so just check the "ecm whitelisting option in oscam.conf"
Also only allow EMM from trusted clients.
Best practice is also to handle most "untrusted" ECM traffic via caching.
P.S. in the next toturial I will introduce you with a watchdog that I have written for Oscam.
Also a tutorial on how to protect your server against synflooding and port nocking attacks will follow.
Cheers