RawonGuard Docs

RawonGuard — Technical Documentation

v4.9.5 · Go 1.24+ · PostgreSQL 16 · Cloudflare Tunnel

Go 1.24+PostgreSQL 16Cloudflare TunnelVanilla JS SPAZero-Trace Stealth

komponen sistem

Arsitektur Sistem

Gambaran umum komponen dan interaksi antar layanan

Panel (Go / chi)

Server pusat. Terima heartbeat & event dari agent, simpan ke PostgreSQL, relay ke browser via WebSocket. Berjalan sebagai single binary ~18MB dengan frontend ter-embed (go:embed). Diakses via Cloudflare Tunnel.

Agent-Go (Go binary)

Diinstall di server yang dimonitor. Single binary, zero dependency, full-featured. Menjalankan 11+ modul secara paralel: watcher, heartbeat, terminal PTY, tunnel, discovery, integrity, updater, filemanager.

Database (PostgreSQL 16)

Menyimpan semua data: events (JSONB payload), alerts (dedup_key), servers, commands, heartbeats, integrity baselines, sysinfo, discovery, notification channels, access logs.

Frontend (Vanilla JS SPA)

Dark terminal-style single-page app. JS per halaman (app.js, servers.js, terminal.js, dll). Tidak ada framework — murni vanilla JS + CSS. Ter-embed via go:embed, bisa override dengan env FRONTEND_DIR.

TOPOLOGI JARINGAN

🌐

Browser

xterm.js / SPA

HTTPS

☁️

Cloudflare Edge

CDN + DDoS

CF Tunnel

⚙️

Panel :8000

Go / chi

TCP

🗄

PostgreSQL 16

localhost:5432

17 packages

Mekanisme Agent

Single binary, goroutine supervisor, modul paralel

Package	Fungsi
watcher	Monitor file integrity (inotify), auth.log (SSH/su), syslog (cron/firewall), process anomaly — kirim event ke sendCh
terminal	PTY WebSocket manager — terima open/stdin/resize dari panel, spawn /bin/bash dengan PTY, relay output balik
tunnel	GS Rescue tunnel (gsocket/gs-netcat) — spawn klogd tersembunyi sebagai listener, reconnect otomatis
transport	HTTP client dengan offline queue (SQLite), retry, fallback URL, CF Worker proxy
stealth	Daemonize, process masquerade, /proc hiding via mount, file hiding, self-protect
update	OTA updater — poll version, download binary baru, verifikasi SHA256 + ELF arch, restart via unix.Exec
filemanager	WebSocket file manager — browse, download, upload file di server target
guard	Anti-tamper, watchdog, resurrect (systemd watchdog — tanpa cron), backup+restore binary (chattr +i), multi-OS persistence
discovery	Inventori otomatis: web server, PHP version, database, framework, port terbuka
sysinfo	Snapshot CPU/RAM/disk/load, top processes, services — dikirim ke panel tiap 5 menit
response	Eksekusi command dari panel: block_ip (iptables), kill PID, quarantine file, security scan
scanner	Security scanner — deteksi rootkit, suspicious files, SUID binaries
config	Load svc.yml dari hidden install dir, migrate URL ke CF Worker
event	Event struct, severity enum, heartbeat payload
template	Event template system — event pattern matching, severity override

dari instalasi ke notifikasi

Alur Kerja Lengkap

1. Instalasi & Registrasi

curl install.sh

one-liner dari panel

Detect OS/Arch

amd64/arm64/mips/i686

Download Binary

/dl/agent-linux-amd64

POST /api/agent/register

Tulis svc.yml

hidden install dir

Install Systemd

systemd-sysconf.service

Agent Start

daemonize + stealth

3. Event Detection & Notification

Watcher Detect

inotify / tail log

Event → sendCh

channel buffer 1000

Batch & Flush

5s / 30min

POST /events

kirim ke panel

MaybeCreateAlert

dedup + severity check

NotifyAlert

Telegram/Discord

zero-trace

Stealth & Zero-Trace System

10 lapis penyembunyian — agent tidak terdeteksi, tidak bisa disabotase, bertahan di OS apapun

Process Masquerade (argv[0])

Binary menimpa argv[0] dengan nama kernel thread seperti [kworker/u2:2]. Hasil di ps aux terlihat identik dengan proses kernel.

stealth.MasqueradeProcess() → prctl(PR_SET_NAME) + argv[0] overwrite

/proc PID Hiding (mount bind)

Entry /proc/<pid> di-bind mount dengan /dev/shm (tmpfs kosong). Semua tool yang baca /proc via readdir() tidak melihat PID tersebut.

stealth.HideFromProc() → mount --bind /dev/shm /proc/<pid>

File Hiding (LD_PRELOAD)

Inject libprocesshider.so via /etc/ld.so.preload. Hook readdir() / readdir64() di libc untuk filter entry install dir dari hasil ls, find.

stealth.HideFiles() → /etc/ld.so.preload + libprocesshider.so

Systemd Service Camouflage

Service systemd bernama systemd-sysconf — menyerupai service bawaan systemd. Install dir tersembunyi di /opt/.cache/.systemd-private/.

guard.SanitizeServiceFiles() → fix detectable artifacts

Anti-Forensic Shell

Shell bash spawn dengan --noprofile --init-file /dev/shm/.XXXXXXXX. HISTFILE=/dev/null, HISTSIZE=0. File temp dihapus 2 detik setelah spawn.

terminal/pty_linux.go → --init-file /dev/shm/.XXXXXXXX (deleted after 2s)

Zero-Trace Install

Tidak ada .wget-hsts, tidak ada file temp, tidak ada entri apt/yum log. Download langsung ke memory (pipe), binary ditulis dengan rename atomic.

install.sh → WGETRC=/dev/null, unset HISTFILE, rm -f setelah install

Goroutine Recovery (bukan exit)

Modul crash di-restart dalam proses yang sama. Binary tidak exit → tidak ada systemd restart log → tidak ada journald entry.

main.go → runModule() → recover() + 5s restart in-process

Binary Backup + Immutable Recovery

Salinan binary cadangan di /var/lib/systemd/coredump/ (stealthy). Dilindungi chattr +i — tahan dari apt clean, dnf clean, bahkan rm -rf oleh root.

guard/backup.go → InitBackup() + RestoreFromBackup() + chattr +i

Recovery Service — Tanpa Cron

systemd-conf-recover.service di /lib/systemd/system/. Loop 60s: jika primary service mati → restart. Tidak ada cron — cron terdeteksi via crontab -l.

guard/resurrect.go → systemdUnitDir() + ensureRecoveryService()

Multi-OS Persistence — Non-systemd

Untuk Alpine/OpenRC, CentOS 5/SysVinit: auto-detect init system. OpenRC: /etc/init.d/sysconf-daemon + rc-update. SysVinit: LSB + update-rc.d. Fallback: /etc/rc.local.

guard/persist.go → hasOpenRC() → ensureOpenRC() / ensureInitD() / ensureRcLocal()

zero single point of failure

Self-Healing System — Agent Tidak Bisa Mati

Sistem berlapis yang memastikan agent tetap hidup meski diserang, dihapus, atau server direstart

<5s

Recovery modul crash (goroutine supervisor)

<30s

Binary restore dari backup jika dihapus

<60s

Service restart oleh recovery watchdog

Trace cron, tanpa entry yang mencurigakan

Skenario 1 — Kill Process

kill -9 <pid> / systemctl stop

systemd restart otomatis (<3s) — Restart=always RestartSec=3

Recovery service loop (60s) — deteksi mati → systemctl start

Skenario 2 — Hapus Binary

rm -rf /path/svc-daemon

inotify detect IN_DELETE (<1s) — trigger RestoreFromBackup()

Watchdog SHA-256 check (30s) — hash kosong → restore backup

Skenario 3 — Hapus Backup

rm -rf /var/lib/systemd/coredump/.XXXX

chattr +i → Operation not permitted — rm gagal sebagai root

InitBackup() re-create dalam 10 menit di lokasi alternatif

Skenario 4 — Server Restart

reboot / shutdown -r

systemd auto-start — WantedBy=multi-user.target

Server non-systemd: OpenRC / init.d / rc.local

Timeline Recovery — Dari Serangan Sampai Pulih

T+0s

Serangan terjadi

Threat actor kill process, hapus binary, atau stop service. Sistem mulai mendeteksi anomali.

T+0s–1s

inotify trigger

antitamper.go terima IN_DELETE → RestoreFromBackup(). Backup dicopy ke path utama, chmod +x, systemctl restart.

T+3s

systemd Restart=always

Jika proses mati karena kill, systemd restart dalam RestartSec=3. Service naik normal.

T+5s

Goroutine supervisor recovery

Modul crash (panic) → runModule() recover dan restart in-process. Tidak ada systemd restart log.

T+30s

Watchdog integrity check

checkBinaryIntegrity() setiap 30 detik. Hash kosong → RestoreFromBackup() sebagai safety net kedua.

T+60s

Recovery service loop

systemd-conf-recover.service cek status primary service setiap 60 detik. Layer final yang bekerja bahkan saat semua mekanisme in-process tidak bisa diakses.

T+max 60s

Agent kembali hidup penuh

Semua modul aktif kembali: heartbeat, watcher, terminal, tunnel. Koneksi ke panel dipulihkan.

event monitoring

Alert & Notifikasi

Event types, severity routing, dan notifikasi real-time

Event Type	Severity	Sumber	Keterangan
file_modified	CRITICAL	inotify	File penting diubah (/etc/passwd, /etc/shadow, dll)
malicious_process	CRITICAL	watcher	18 signature: miner, backdoor, trojan, c2 tools
ssh_login	HIGH	auth.log	Login SSH password berhasil
ssh_key_login	HIGH	auth.log	Login SSH public key berhasil
su_login	HIGH	syslog	su ke user lain berhasil
ssh_failed	MEDIUM	auth.log	Gagal login SSH (brute force indicator)
firewall_block	MEDIUM	syslog	iptables DROP/REJECT event
cron_execution	LOW	syslog	Eksekusi cron job
session_open	LOW	syslog	pam_unix session opened
file_created	LOW	inotify	File baru dibuat di path yang dimonitor

staging v4.9.5

Fitur Lengkap

Panel

JWT + bcrypt autentikasiMulti-server dashboardReal-time event stream (WS)Alert dedup 5 menitTelegram notifikasiDiscord notifikasiCommand push via WSWS relay terminal PTYWS relay file managerOTA agent updateCanary rollout systemFRONTEND_DIR dev modeServer detail: Info/Activity/Inventory/Network/Users/System/CommandsAccess Keys managementSettings: notification channels, global config

Agent — Monitoring

File integrity (SHA-256 inotify)SSH login alert (HIGH, instant)SSH failed (MEDIUM)su login (HIGH)Cron execution (LOW)Firewall block (MEDIUM)Malicious process (18 signatures)Dual-interval batching (5s/30min)Offline queue (SQLite)Heartbeat setiap 60sServer discovery (web/DB/lang)Integrity baseline (user + file hash)SysInfo (CPU/RAM/disk/service)

Agent — Stealth & Resilience

argv[0] process masquerade/proc PID hiding (mount bind)File hiding (LD_PRELOAD hook)Service: systemd-sysconfHidden install dirAnti-forensic shell initPS1 via --init-file /dev/shmGoroutine supervisor (restart 5s)Zero-trace installerAnti-tamper binary guardBinary backup + restore (chattr +i)Recovery service (tanpa cron)Multi-OS persist (OpenRC/init.d/rc.local)StartResurrect federated coverageELF arch validation OTA

Agent — Akses & Terminal

Web terminal (xterm.js)PTY session keepalive 5 menitOutput ring buffer 64KBAuto-reconnect + reclaim PTYClipboard auto-copy (selection)Saved commands sidebarShell selector (bash/sh/zsh)GS Rescue tunnelWeb file managerCF Worker proxy (primary URL)Fallback URL jika worker down

perspektif penyerang

Mengapa Sulit Ditemukan

Yang Penyerang Lihat

ps aux— tidak ada proses mencurigakan, hanya process systemd biasa

ls /opt /srv /home— install dir tidak terlihat (LD_PRELOAD hook)

systemctl list-units— systemd-sysconf dan systemd-conf-recover terlihat seperti unit bawaan

crontab -l / cat /etc/cron*— tidak ada entry sama sekali

cat /etc/ld.so.preload— entry tersembunyi jika file hiding aktif

Bahkan Jika Ditemukan

kill -9→ systemd restart dalam 3 detik

systemctl disable + stop→ recovery service masih aktif, restart dalam 60s

rm binary→ inotify detect <1s, restore dari backup immutable

rm backup→ chattr +i blokir, "Operation not permitted"

reboot server→ semua layer persist aktif, agent start kembali otomatis

implementasi

Source Map

File

Fungsi

Mekanisme

guard/backup.go

InitBackup() RestoreFromBackup()

Binary backup stealthy + chattr +i immutable

guard/resurrect.go

StartResurrect() ensureRecoveryService()

systemd-conf-recover.service watchdog, tanpa cron

guard/persist.go

EnsurePersistence()

OpenRC / init.d / rc.local untuk non-systemd

guard/antitamper.go

handleTamper()

inotify IN_DELETE → restore binary realtime

guard/watchdog.go

checkBinaryIntegrity()

SHA-256 hash check setiap 30s, restore jika hilang

main.go

runModule()

Goroutine supervisor, recover() + restart 5s

agent/install.sh

systemctl enable