This is an article that tries to help understanding how to debug CCcam events.
Understanding this may help you to get a more stable server.
To achieve this you need to remove all/most of ongoing errors.
Ecample commands to find errors are also included.
To get a stable server follow this important rules:
1. Do NOT use port 12000 (user a high like 53232)
2. Quality before Quantity
3. Never ever add a peer without having users email/msn. This way you can ask him if some is wrong.
4. Add DNS/IP at the end of your F: lines
5. If you remove a peer, do tell him that you have done, and ask him to remove his C: line
First step is to enable CCcam debugging. This can be done in one or two ways.
1. Run CCcam from command prompt like this: /var/bin/CCcam -d >>/var/log/debug & You need to stop the CCcam by kill it before you restart it with options.
2. If you have a linux server like Ubuntu, you can add this info to CCcam.cfg: DEBUG : yes. This option is fine, since you do not need to restart CCcam server. Debug data are then logged to /var/log/debug
Warning: Log files do grow rapidly large.
Debug
ECM
Most of the debug file will contain information on ECM handeling like this:
From remote server:
Jan 18 09:36:53 server2 CCcam: client demodemo ecm request for handler 0x64 0xb00(0x0) sid 0x135 ok: 1
Jan 18 09:36:54 server2 CCcam: remote ecm -> server.dyndns.org:12000 0xb00(0x000)
Jan 18 09:36:54 server2 CCcam: remote ecm <- server.dyndns.org:12000 ok
Local card:
Jan 21 17:34:01 server2 CCcam: client pedro ecm request for handler 0x64 0xb00(0x0) sid 0xdbb ok: 1
Jan 21 17:34:01 server2 CCcam: local ecm -> card /dev/ttyUSB0 0xb00(0x000) sid 0x5dd
Jan 21 17:34:01 server2 CCcam: local ecm <- card /dev/ttyUSB0 cw's from cache
EMM
EMM are the codes that keep you car alive. If you do not get this and have cards in your server, it will die after some time.
Jan 29 14:47:13 server2 CCcam: local emm -> card /dev/ttyUSB0 0xb00(0x000)
Jan 29 14:47:13 server2 CCcam: local emm <- card /dev/ttyUSB0 ok
Jan 29 14:47:13 server2 CCcam: client pedro emm 0xb00(0x0) ok: 1
Normal login
This shows a normal login from a client to your server:
Jan 17 13:34:53 server2 CCcam: login from 66.255.5.153
Jan 17 13:34:53 server2 CCcam: user pedro login attempt from 66.55.5.153
Jan 17 13:34:53 server2 CCcam: client pedro@a9d6346630a9639c, running CCcam 2.1.2
Portscan-Telnet
If some just open the CCcam port without logging in you get this info. This can come from some doung portscan, or just do a telnet yourip 12000
Jan 16 14:22:19 server2 CCcam: login from 155.10.10.132
Jan 16 14:22:25 server2 CCcam: kick 155.10.10.132, bad response
This command, do list all ip sorted and counted:
grep "bad response" | awk ' {arr[$7]++; next} END { for (i in arr) { if(arr[i]>0 ) {print i,arr[i] } } } ' | sort
Double login
Two or more users tries to log in to your server using same username
Jan 27 07:59:44 server2 CCcam: user badboy login attempt from 85.16.213.176
Jan 27 07:59:44 server2 CCcam: double login (badboy), (previous 84.202.182.63), reject
Jan 27 07:59:44 server2 CCcam: kick 85.16.213.176(), bad command
This command do list all double user login atempts:
cat /var/log/daemon.log | grep "double" | awk ' {arr[$8]++; next} END { for (i in arr) { if(arr[i]>0 ) {print i,arr[i] } } } ' | sort
Double nodeid
If a user has two CCcam servers running on same server. It may be possible to run separate node id, but not easy.
Jan 25 22:54:40 server2 CCcam: WARNING: double nodeid, user pedro and troja
Wrong password
Username do exits in your server but user tries wrong password
13:43:14.673 CCcam: login from 129.21.143.231
13:43:14.745 CCcam: user demo login attempt from 129.21.143.231
13:43:14.746 CCcam: wrong password supplied by 129.21.143.231
13:43:14.746 CCcam: kick 129.21.143.231, signature failed
Command to show what IP do use wrong password
cat /var/log/daemon.log | grep "wrong" | awk ' {arr[$10]++; next} END { for (i in arr) { if(arr[i]>0 ) {print i,arr[i] } } } '
This command do list the line above wrong password to try to list username. There may be other entries between wrong password and username.
cat /var/log/daemon.log | grep -B4 "wrong"
Jan 29 08:45:00 server2 CCcam: local ecm -> card /dev/ttyUSB0 0xb00(0x000) sid 0x1772
Jan 29 08:45:00 server2 CCcam: remote ecm -> 62.54.14.74:15000 0xb00(0x000)
Jan 29 08:45:00 server2 CCcam: login from 194.110.10.41
Jan 29 08:45:00 server2 CCcam: user dm800 login attempt from 194.11.10.41
Jan 29 08:45:00 server2 CCcam: wrong password supplied by 194.11.10.41
DNS or no user
This may be the most important to look for. There are two reason to see this error.
1. User that tries to log in does not exists.
2. Most commonly: You have added IP or DNS behind your F: line to prevent user from logging in from wrong site. User have for some reason changed IP, and or have not updated DNS (dyndns) after he have got a new IP.
Jan 25 07:30:50 server2 CCcam: login from 94.211.13.180
Jan 25 07:30:50 server2 CCcam: illegal user zambibi from 94.211.13.180
Jan 25 07:30:50 server2 CCcam: kick 94.211.13.180, signature failed
This command shows what user and how many times they have tried to login in from wrong ip:
cat /var/log/daemon.log | grep illegal | awk ' {arr[$8]++; next} END { for (i in arr) { if(arr[i]>1 ) {print i,arr[i] } } } ' | sort
Other info
This command do show last 100 important events in log file.
cat /var/log/daemon.log | grep -vE '(ecm request|local ecm|remote ecm|snmpd|emm|repeated|ntpd)' | tail -n 100
This is not my work, all credit to the original author Jotne