hello,
I try to run two different oscam in ubuntu; is what you could help me edit your script
thank you in advance
Display MoreAll Credit to copyleft from oscam.to
PART I
Prerequisits:
I assume you have compiled/downloaded Oscam so you got 2 binaries, "oscam" and "list_smargo"
Installation:
as user "root" you do:
Codesudo su - mkdir -p /opt/oscam/{bin,conf,init} cp oscam /opt/oscam/bin/oscam_svn_v1.23_build1234 chmod +x /opt/oscam/bin/oscam_svn_v1.23_build1234 ln -s /opt/oscam/bin/oscam_svn_v1.23_build1234 /opt/oscam/bin/oscam.bin cp list_smargo /opt/oscam/bin/list_smargo_svn_v1.23_build1234 chmod +x /opt/oscam/bin/list_smargo_svn_v1.23_build1234 ln -s /opt/oscam/bin/list_smargo_svn_v1.23_build1234 /opt/oscam/bin/list_smargo
Creation of an Oscam instance:
Now I will create my first instance and I call it "hotbabe1"
Codemkdir /opt/oscam/conf/hotbabe1
I place my config files (oscam.conf, oscam.server, oscam.user ...) for Oscam instance "hotbabe1" into "/opt/oscam/conf/hotbabe1"
Now I create the init script for Oscam instance "hotbabe1"
Codetouch /opt/oscam/init/oscam.hotbabe1 chmod +x /opt/oscam/init/oscam.hotbabe1
Now copy the following code into "/opt/oscam/init/oscam.hotbabe1"
BashDisplay More#!/bin/bash # OSCAM_BIN_DIR="/opt/oscam/bin" OSCAM_LOG_DIR="/opt/oscam/log" OSCAM_TMP_DIR="/opt/oscam/tmp" RUNASUSER="root" OSCAM_BIN="oscam.bin" DEVNULL="/dev/null" OSCAM_CONF_DIR="/opt/oscam/conf/hotbabe1" PROCESSNAME="oscam.hotbabe1" NICELEVEL="-15" # check_oscam( ){ ps aux|grep -v grep|grep -q "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR " } # start_oscam( ){ sudo -u "$RUNASUSER" sh -c ""$OSCAM_BIN_DIR"/"$OSCAM_BIN" -c "$OSCAM_CONF_DIR" -t "$OSCAM_TMP_DIR" -b -d 1 -r 2" for i in $(ps aux|grep -v grep|grep "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR "|awk '{ print $2 }'); do renice -n $NICELEVEL $i > "$DEVNULL" 2>&1 done } # kill_oscam( ){ for i in $(ps aux|grep -v grep|grep "$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR "|awk '{ print $2 }'); do kill -9 $i > "$DEVNULL" 2>&1 done } # check_log_tmp_dir( ){ [ -d '$OSCAM_LOG_DIR' ] || mkdir -p "$OSCAM_LOG_DIR" [ -d '$OSCAM_TMP_DIR' ] || mkdir -p "$OSCAM_TMP_DIR" if [ $RUNASUSER != 'root' ] ; then [ $(ls -dl '$OSCAM_LOG_DIR'|awk '{print $3}') == '$RUNASUSER' ] || chown -R "$RUNASUSER":"$RUNASUSER" "$OSCAM_LOG_DIR" [ $(ls -dl '$OSCAM_TMP_DIR'|awk '{print $3}') == '$RUNASUSER' ] || chown -R "$RUNASUSER":"$RUNASUSER" "$OSCAM_TMP_DIR" fi } # check_log_tmp_dir case "$1" in start) check_oscam && echo "$PROCESSNAME allready running. Exiting!" && exit 1 echo "starting $PROCESSNAME!" start_oscam sleep 0.1 check_oscam && echo "$PROCESSNAME started successfully!" && exit 0 echo "Failed to start $PROCESSNAME. Exiting!" && exit 1 ;; stop) ! check_oscam && echo "$PROCESSNAME allready stopped!" && exit 1 echo "shutting down $PROCESSNAME!" kill_oscam sleep 0.1 ! check_oscam && echo "$PROCESSNAME shutdown successfully!" && exit 0 echo "Failed to stop $PROCESSNAME. Exiting!" && exit 1 ;; restart) ! check_oscam && echo "$PROCESSNAME allready stopped!" && exit 1 echo "restarting $PROCESSNAME!" kill_oscam sleep 0.1 check_oscam && echo "Failed to stop $PROCESSNAME. Exiting!" && exit 1 start_oscam sleep 0.1 check_oscam && echo "$PROCESSNAME restarted successfully!" && exit 0 echo "Failed to restart $PROCESSNAME. Exiting!" && exit 1 ;; status) check_oscam && echo "$PROCESSNAME is running!" && exit 0 echo "$PROCESSNAME is stopped!" && exit 1 ;; *) N="/etc/init.d/$PROCESSNAME" echo "Usage: "$N" {start|stop|restart|status}" >&2 exit 1 ;; esac # exit 0
Install the sript with:
Codeln -s /opt/oscam/init/oscam.hotbabe1 /etc/init.d/
Now you should be able to "start/stop/restart/status" your very "hotbabe1" Oscam instance
Just run:
Codeservice oscam.hotbabe1 status service oscam.hotbabe1 stop service oscam.hotbabe1 start service oscam.hotbabe1 restart
Now for every additional Oscam instance we choose a different name e.g. "hotbabe2" and repeat the steps in "Creation of an Oscam instance:",
and change the variables "OSCAM_CONF_DIR" and "PROCESSNAME" in the start script of the new instance.
Note that you have to choose a different port/ports for every new instance in the "oscam.conf" when running multile instances!
PART II
Now once you have lots of running instances and hopefully lots of RAM :)
you need to manage them all easily. Thus we need a master Oscam init script.
I call it "oscam"
Codetouch /opt/oscam/init/oscam chmod +x /opt/oscam/init/oscam ln -s /opt/oscam/init/oscam /etc/init.d/
Copy the following code into "/opt/oscam/init/oscam"
BashDisplay More#!/bin/bash # case "$1" in start) for i in /etc/init.d/oscam.*; do $i start; done ;; stop) for i in /etc/init.d/oscam.*; do $i stop; done ;; restart) for i in /etc/init.d/oscam.*; do $i restart; done ;; status) for i in /etc/init.d/oscam.*; do $i status; done ;; *) N="/etc/init.d/oscam" echo "Usage: "$N" {start|stop|restart|status}" >&2 exit 1 ;; esac exit 0
Now you can manage all of your Oscam instances by running:
Codeservice oscam status service oscam stop service oscam start service oscam restart
PART III
First I will go through hardening Oscam on GNU-Linux OS level.
As you can see I use a "RUNASUSER" variable in the init script of the oscam instance.
When using oscam as a card reader we set it to run as root, as we need root privileges to write to the USB-device file of the card reader.
Another aproach would be writing a udev-rule to change the owner/permissions of the device file when it is created.
E.g. find out what device class does your reader belong to under GNU-Linux ... write an udev rule .... and then set the "RUNASUSER" variable to an unpriviliged user.
But when using Oscam as a proxy or as a frontend server to other (not trusted internet) clients, then hardening comes into play.
So these are the steps to harden your Oscam server.
Codegroupadd -g 34523 oscam useradd -d /dev/null -g 34523 -u 34523 -s /bin/false oscam
Now we just set "RUNASUSER" to oscam e.g. RUNASUSER="oscam" in the oscam instance init script and restart oscam.
Now oscam is running as a non priviliged user with no shell and no home directory.
There are no performance issues with this setup.
By doing so it is hard to break in into your system now.
Now we need to harden Oscam and protect your cards on CS level. To do so just check the "ecm whitelisting option in oscam.conf"
Also only allow EMM from trusted clients.
Best practice is also to handle most "untrusted" ECM traffic via caching.
P.S. in the next toturial I will introduce you with a watchdog that I have written for Oscam.
Also a tutorial on how to protect your server against synflooding and port nocking attacks will follow.
Cheers
