Regarding init scripts for Oscam, they are used to manage the initialization and startup of the Oscam service. Init scripts vary depending on the operating system you are using. Here are examples of init scripts for different operating systems Oscam init scripts running multiple Oscam 2024, instances and Oscam hardening
Hi all,
Oscam init scripts running multiple Oscam
In this tutorial I will
Oscam init scripts running multiple Oscam 2024
I – give you some usefull init scripts, to make an easy start/stop/restart and check of a Oscam instance.
II – show you how you can run and easily manage multiple Oscam instances on the same host.
this is usefull if for example you have multiple cards on your system and you want to use
different load_balancing modes for each card or bunch of same cards.
or for better performance instead of overloading one running oscam instance you run two or more instances.
III – show you how to harden and increase security of Oscam when running as server that is exposed to the Internet.
this is useful to not get hacked.
Copyright:
All presented information and code is released under the terms of the GPL-v3 licence
PART I
Prerequisits:
I assume you have compiled/downloaded Oscam so you got 2 binaries, “oscam” and “list_smargo”
Installation:
as user “root” you do:
Software Contents
Credit & Thanks to copyleft the script delevoper
Oscam init scripts running multiple Oscam 2024
sudo su –
mkdir -p /opt/oscam/{bin,conf,init}
cp oscam /opt/oscam/bin/oscam_svn_v1.23_build1234
chmod +x /opt/oscam/bin/oscam_svn_v1.23_build1234
ln -s /opt/oscam/bin/oscam_svn_v1.23_build1234 /opt/oscam/bin/oscam.bin
cp list_smargo /opt/oscam/bin/list_smargo_svn_v1.23_build1234
chmod +x /opt/oscam/bin/list_smargo_svn_v1.23_build1234
ln -s /opt/oscam/bin/list_smargo_svn_v1.23_build1234 /opt/oscam/bin/list_smargo
Creation of an Oscam instance:
Now I will create my first instance and I call it “hotbabe1”
mkdir /opt/oscam/conf/hotbabe1
I place my config files (oscam.conf, oscam.server, oscam.user …) for Oscam instance “hotbabe1” into “/opt/oscam/conf/hotbabe1”
Now I create the init script for Oscam instance “hotbabe1”
touch /opt/oscam/init/oscam.hotbabe1
chmod +x /opt/oscam/init/oscam.hotbabe1
Now copy the following code into “/opt/oscam/init/oscam.hotbabe1”
#!/bin/bash
#
OSCAM_BIN_DIR=”/opt/oscam/bin”
OSCAM_LOG_DIR=”/opt/oscam/log”
OSCAM_TMP_DIR=”/opt/oscam/tmp”
RUNASUSER=”root”
OSCAM_BIN=”oscam.bin”
DEVNULL=”/dev/null”
OSCAM_CONF_DIR=”/opt/oscam/conf/hotbabe1″
PROCESSNAME=”oscam.hotbabe1″
NICELEVEL=”-15″
#
check_oscam( ){
ps aux|grep -v grep|grep -q “$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR “
}
#
start_oscam( ){
sudo -u “$RUNASUSER” sh -c “”$OSCAM_BIN_DIR”/”$OSCAM_BIN” -c “$OSCAM_CONF_DIR” -t “$OSCAM_TMP_DIR” -b -d 1 -r 2″
for i in $(ps aux|grep -v grep|grep “$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR “|awk ‘{ print $2 }’); do
renice -n $NICELEVEL $i > “$DEVNULL” 2>&1
done
}
#
kill_oscam( ){
for i in $(ps aux|grep -v grep|grep “$OSCAM_BIN_DIR/$OSCAM_BIN -c $OSCAM_CONF_DIR “|awk ‘{ print $2 }’); do
kill -9 $i > “$DEVNULL” 2>&1
done
}
#
check_log_tmp_dir( ){
[ -d “$OSCAM_LOG_DIR” ] || mkdir -p “$OSCAM_LOG_DIR”
[ -d “$OSCAM_TMP_DIR” ] || mkdir -p “$OSCAM_TMP_DIR”
if [ $RUNASUSER != “root” ] ; then
[ $(ls -dl “$OSCAM_LOG_DIR”|awk ‘{print $3}’) == “$RUNASUSER” ] || chown -R “$RUNASUSER”:”$RUNASUSER” “$OSCAM_LOG_DIR”
[ $(ls -dl “$OSCAM_TMP_DIR”|awk ‘{print $3}’) == “$RUNASUSER” ] || chown -R “$RUNASUSER”:”$RUNASUSER” “$OSCAM_TMP_DIR”
fi
}
#
check_log_tmp_dir
case “$1” in
start)
check_oscam && echo “$PROCESSNAME allready running. Exiting!” && exit 1
echo “starting $PROCESSNAME!”
start_oscam
sleep 0.1
check_oscam && echo “$PROCESSNAME started successfully!” && exit 0
echo “Failed to start $PROCESSNAME. Exiting!” && exit 1
;;
stop)
! check_oscam && echo “$PROCESSNAME allready stopped!” && exit 1
echo “shutting down $PROCESSNAME!”
kill_oscam
sleep 0.1
! check_oscam && echo “$PROCESSNAME shutdown successfully!” && exit 0
echo “Failed to stop $PROCESSNAME. Exiting!” && exit 1
;;
restart)
! check_oscam && echo “$PROCESSNAME allready stopped!” && exit 1
echo “restarting $PROCESSNAME!”
kill_oscam
sleep 0.1
check_oscam && echo “Failed to stop $PROCESSNAME. Exiting!” && exit 1
start_oscam
sleep 0.1
check_oscam && echo “$PROCESSNAME restarted successfully!” && exit 0
echo “Failed to restart $PROCESSNAME. Exiting!” && exit 1
;;
status)
check_oscam && echo “$PROCESSNAME is running!” && exit 0
echo “$PROCESSNAME is stopped!” && exit 1
;;
*)
N=”/etc/init.d/$PROCESSNAME”
echo “Usage: “$N” {start|stop|restart|status}” >&2
exit 1
;;
esac
#
exit 0
Install the sript with:
ln -s /opt/oscam/init/oscam.hotbabe1 /etc/init.d/
Now you should be able to “start/stop/restart/status” your very “hotbabe1” Oscam instance
Just run:
Oscam init scripts running multiple Oscam 2023
service oscam.hotbabe1 status
service oscam.hotbabe1 stop
service oscam.hotbabe1 start
service oscam.hotbabe1 restart
Now for every additional Oscam instance we choose a different name e.g. “hotbabe2” and repeat the steps in “Creation of an Oscam instance:”,
and change the variables “OSCAM_CONF_DIR” and “PROCESSNAME” in the start script of the new instance.
Note that you have to choose a different port/ports for every new instance in the “oscam.conf” when running multile instances! Oscam init scripts running multiple Oscam 2023
PART II
Now once you have lots of running instances and hopefully lots of RAM
you need to manage them all easily. Thus we need a master Oscam init script.
I call it “oscam”
touch /opt/oscam/init/oscam
chmod +x /opt/oscam/init/oscam
ln -s /opt/oscam/init/oscam /etc/init.d/
Copy the following code into “/opt/oscam/init/oscam”
#!/bin/bash
#
case “$1” in
start)
for i in /etc/init.d/oscam.*; do $i start; done
;;
stop)
for i in /etc/init.d/oscam.*; do $i stop; done
;;
restart)
for i in /etc/init.d/oscam.*; do $i restart; done
;;
status)
for i in /etc/init.d/oscam.*; do $i status; done
;;
*)
N=”/etc/init.d/oscam”
echo “Usage: “$N” {start|stop|restart|status}” >&2
exit 1
;;
esac
exit 0
Now you can manage all of your Oscam instances by running:
service oscam status
service oscam stop
service oscam start
service oscam restart
PART III
First I will go through hardening Oscam on GNU-Linux OS level.
As you can see I use a “RUNASUSER” variable in the init script of the oscam instance.
Oscam init scripts running multiple Oscam 2023
When using oscam as a card reader we set it to run as root, as we need root privileges to write to the USB-device file of the card reader.
Another aproach would be writing a udev-rule to change the owner/permissions of the device file when it is created.
E.g. find out what device class does your reader belong to under GNU-Linux … write an udev rule …. and then set the “RUNASUSER” variable to an unpriviliged user.
But when using Oscam as a proxy or as a frontend server to other (not trusted internet) clients, then hardening comes into play.
So these are the steps to harden your Oscam server. Oscam init scripts running multiple Oscam 2023
groupadd -g 34523 oscam
useradd -d /dev/null -g 34523 -u 34523 -s /bin/false oscam
Now we just set “RUNASUSER” to oscam e.g. RUNASUSER=”oscam” in the oscam instance init script and restart oscam.
Now oscam is running as a non priviliged user with no shell and no home directory.
There are no performance issues with this setup.
By doing so it is hard to break in into your system now.
Now we need to harden Oscam and protect your cards on CS level. To do so just check the “ecm whitelisting option in oscam.conf”
Also only allow EMM from trusted clients.
Best practice is also to handle most “untrusted” ECM traffic via caching.
P.S. in the next toturial I will introduce you with a watchdog that I have written for Oscam.
Also a tutorial on how to protect your server against synflooding and port nocking attacks will follow.
Howto: Oscam watchdog
Credit to copyleft
Oscam is capable of restarting its self on errors/seqfaults. But I wanted to make sure that Oscam is “REALLY” handling some traffic (doing its job properly).
And here comes the Oscam watchdog into play. The idea of the watchdog is quite simple.
If no successful ECM’s are logged within a defined time frame, then the Oscam is started again.
Copyright:
All presented information and code is released under the terms of the GPL-v3 licence
Prerequisits:
– Oscam started with level 1 debugging option. Just look at the init script above – howto-oscam-init-scripts-running-multiple-oscam-instances-oscam-hardening.
-d 1
Installation:
We are going to create two scripts. One is the Oscam watchdog daemon, that will run as a proccess under GNU-Linux.
and a init script for the Oscam watchdog.
touch /opt/oscam/bin/oscam.watchdog.sh
touch /opt/oscam/init/oscamwatchdog
chmod +x /opt/oscam/bin/oscam.watchdog.sh
chmod +x /opt/oscam/init/oscamwatchdog
ln -s /opt/oscam/init/oscamwatchdog /etc/init.d/
update-rc.d oscamwatchdog defaults
Copy the following code into “/opt/oscam/bin/oscam.watchdog.sh”
#!/bin/bash
# Restart/start oscam if we dont log any successful cw transactions within a defined time frame”
OSCAM_INSTANCE=”$1″
CCCAM_INSTANCE=cccam.$(echo $OSCAM_INSTANCE|cut -d. -f2)
LOG_FILE=”/opt/oscam/log/$OSCAM_INSTANCE.log”
CHECK_INTERVALL=60
DATE_STAMP_LAST_CW=start # Dont touch this
SCRIPTNAME=”oscam.watchdog.sh”
CTR=0 # Dont touch this
MAX_RETRY=4
check_oscam( ){
DATE_STAMP_ACTUAL_CW=$(tail -n 1000 $LOG_FILE|grep “fail 0$”|tail -n 1|awk ‘{print $1 $2}’)
if [ ! -z “$DATE_STAMP_ACTUAL_CW” ] ; then
if [ $DATE_STAMP_LAST_CW = ‘start’ ] ; then
DATE_STAMP_LAST_CW=$DATE_STAMP_ACTUAL_CW
CTR=0
fi
if [ “$DATE_STAMP_LAST_CW” = “$DATE_STAMP_ACTUAL_CW” ] ; then
DATE_STAMP_LAST_CW=”$DATE_STAMP_ACTUAL_CW”
((CTR++))
if [ $CTR -gt $MAX_RETRY ] ; then
TIME_FRAME=$((${MAX_RETRY}*${CHECK_INTERVALL}))
logger -t $SCRIPTNAME “No successful cw transaction for $TIME_FRAME sec. Restarting $OSCAM_INSTANCE!”
service $OSCAM_INSTANCE stop > /dev/null 2>&1
sleep 2
service $OSCAM_INSTANCE start > /dev/null 2>&1
if [ -x /etc/init.d/$CCCAM_INSTANCE ] ; then
service $CCCAM_INSTANCE stop > /dev/null 2>&1
sleep 2
service $CCCAM_INSTANCE start > /dev/null 2>&1
fi
CTR=0
fi
else
DATE_STAMP_LAST_CW=”$DATE_STAMP_ACTUAL_CW”
fi
else
((CTR++))
if [ $CTR -gt $MAX_RETRY ] ; then
TIME_FRAME=$((${MAX_RETRY}*${CHECK_INTERVALL}))
logger -t $SCRIPTNAME “No successful cw transaction for $TIME_FRAME sec. Restarting $OSCAM_INSTANCE!”
service $OSCAM_INSTANCE stop > /dev/null 2>&1
sleep 2
service $OSCAM_INSTANCE start > /dev/null 2>&1
if [ -x /etc/init.d/$CCCAM_INSTANCE ] ; then
service $CCCAM_INSTANCE stop > /dev/null 2>&1
sleep 2
service $CCCAM_INSTANCE start > /dev/null 2>&1
fi
CTR=0
fi
fi
}
if [ -z $OSCAM_INSTANCE ] ; then
echo “Error: No Oscam instance specified!”
logger -t $SCRIPTNAME “Error: No Oscam instance specified!”
echo “Please give an Oscam instance. Exiting!”
logger -t $SCRIPTNAME “Please give an Oscam instance. Exiting!”
exit 1
fi
if [ ! -x /etc/init.d/$OSCAM_INSTANCE ] ; then
echo “Error: No valid Oscam instance specified!”
logger -t $SCRIPTNAME “Error: No valid Oscam instance specified!”
echo “Please give a valid Oscam instance. Exiting!”
logger -t $SCRIPTNAME “Please give a valid Oscam instance. Exiting!”
exit 1
fi
while true; do
check_oscam
sleep $CHECK_INTERVALL
done
Copy the following code into “/opt/oscam/init/oscamwatchdog”
echo “stopping “$OSCAM_WATCHDOG_PROCESS_NAME” daemon!”
stop_oscamwatchdog
exit 0
else
echo “$OSCAM_WATCHDOG_PROCESS_NAME is stopped. Exiting!”
exit 1
fi
;;
status)
if check_oscamwatchdog ; then
echo “$OSCAM_WATCHDOG_PROCESS_NAME is running!”
exit 0
else
echo “$OSCAM_WATCHDOG_PROCESS_NAME is stopped!”
exit 1
fi
;;
*)
N=”/etc/init.d/oscamwatchdog”
echo “Usage: “$N” {start|stop|status}” >&2
exit 1
;;
esac
exit 0
Now you can start stop status the Oscam watchdog by running
service oscamwatchdog start
service oscamwatchdog stop
service oscamwatchdog status
Every time you add a new Oscam instance you have to add it to the variable “OSCAM_SERVERS” in “/opt/oscam/init/oscamwatchdog”
and stop and start the watchdog.
There are also the variables “CHECK_INTERVALL” and “MAX_RETRY” in “/opt/oscam/bin/oscam.watchdog.sh”
With “CHECK_INTERVALL=60” the watchdog will check every 60 sec. This is a reasonable values since it would not stress your system.
Decreasing this value will put more load on your system.
With “MAX_RETRY=4” you tell the wathdog to restart/start Oscam if no ECM’s are seen after 4 minutes.
Higher values are better to avoid alot of disconnection/reconnection … when you are connected to other servers.