mfdhilftrmn31/RCDIDN
GitHub: mfdhilftrmn31/RCDIDN
一款集成38项功能的单文件主动防御系统,将服务器转化为高交互蜜罐并收集攻击者威胁情报。
Stars: 0 | Forks: 0
```
██████╗ ██████╗ ██████╗ ██╗██████╗ ███╗ ██╗
██╔══██╗██╔════╝ ██╔══██╗██║██╔══██╗████╗ ██║
██████╔╝██║ ██║ ██║██║██║ ██║██╔██╗ ██║
██╔══██╗██║ ██║ ██║██║██║ ██║██║╚██╗██║
██║ ██║╚██████╗ ██████╔╝██║██████╔╝██║ ╚████║
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝╚═════╝╚═╝ ╚═══╝
```
→ busy_server | flapping | degrading |
recovering | random_chaos
mirror → DARK MIRROR
economics → HONEYPOT ECONOMICS
pheromone → DIGITAL PHEROMONE stats
pheromone deploy → Deploy all 5 bait files
ghostnet → GHOST NETWORK topology
evidence → REGULATORY TRAP status
evidence collect → Collect forensic evidence (SHA-256)
evidence report idcert → Report for ID-CERT Indonesia
evidence report bssid → Report for BSSN Indonesia
evidence report interpol → Report for INTERPOL
SYSTEM
test → Run 6 unit tests
status → Show vault and daemon status
help → Show this menu
exit → Exit commander
AI HONEYPOT CONFIG
setkey → Set AI provider + key (Gemini / OpenAI / Claude / DeepSeek)
aikey → Show active AI provider and key status
╚══════════════════════════════════════════════════════════╝
```
### 核心防御
#### `run` —— 加密文件 + 部署金丝雀
```
RCDIDN > run
```
```
[?] Enter RCDIDN Master Password: ████████████
[+] Scanning current directory for sensitive files...
[+] Vaulted : .env → ~/.rcdidn_vault/3a7f1b2c4d8e.enc
[+] Vaulted : database.json → ~/.rcdidn_vault/9e2d5a6f1c4b.enc
[+] Vaulted : config.yaml → ~/.rcdidn_vault/7c3b8d9e2f1a.enc
[+] Canary deployed : .env (fake AWS keys + DB credentials)
[+] Canary deployed : database.json
[+] .gitignore updated with RCDIDN protection rules.
[+] PHP Sentinel injected into index.php
[+] Done. 3 file(s) vaulted. Canaries deployed.
=========================================================
[!] BACKUP REMINDER : /home/user/.rcdidn_vault
[!] Losing this directory means ALL encrypted files are UNRECOVERABLE.
=========================================================
```
#### `restore` —— 将文件解密回原始状态
```
RCDIDN > restore
```
```
[!] Restore ALL files? (y/N): y
[?] Enter RCDIDN Master Password: ████████████
[+] Restored: .env
[+] Restored: database.json
[+] Restored: config.yaml
[+] Restore complete. 3 file(s) recovered.
```
#### `restart` —— 编辑后重新加密
```
RCDIDN > restart
```
```
[?] Enter RCDIDN Master Password: ████████████
[+] Re-locked: .env
[+] Re-locked: database.json
[+] Re-locked: config.yaml
[+] Restart complete. 3 file(s) re-locked.
```
#### `gk` —— 轮换主密码
```
RCDIDN > gk
```
```
[!] WARNING: A new password renders all previously encrypted files UNRECOVERABLE
unless you decrypt them first.
Continue? (y/N): y
Create Master Password: ████████████
Confirm Password: ████████████
[+] New Master Password set. Re-run 'run' to re-encrypt with the new key.
```
### IPS 与 蜜罐
#### `ips start` —— 启动所有蜜罐 + 自动封禁守护进程
```
RCDIDN > ips start
```
```
[+] HoneyPort 'AI-Interrogator' active on port 2323 [AI] (max 200 threads)
[+] HoneyPort 'Fake-SSH' active on port 2222 [TARPIT] (max 200 threads)
[+] HoneyPort 'Fake-MySQL' active on port 3306 [TARPIT] (max 200 threads)
[+] GHOST NETWORK active on port 4444 — simulating 10 fake hosts
[+] IPS daemon launched (PID: 14821)
```
#### `ips stop` —— 停止所有蜜罐
```
RCDIDN > ips stop
```
```
[+] IPS daemon (PID 14821) stopped.
```
### 威胁情报
#### `stats` —— 实时威胁仪表板
```
RCDIDN > stats
```
```
╔══════════════════════════════════════════════════════════╗
║ RCDIDN — THREAT INTELLIGENCE DASHBOARD ║
╠══════════════════════════════════════════════════════════╣
Period : Last 30 days
Total Events : 2,847
Unique Attacker IPs : 391
IPs Banned : 388
Attack Events : 1,204
╠══════════════════════════════════════════════════════════╣
TOP ATTACKER TOOLS
Masscan ████████████████████ 42%
Nmap ████████████░░░░░░░░ 28%
ZGrab ██████░░░░░░░░░░░░░░ 15%
Unknown ████░░░░░░░░░░░░░░░░ 10%
Mirai ██░░░░░░░░░░░░░░░░░░ 5%
╠══════════════════════════════════════════════════════════╣
TOP ATTACKING COUNTRIES
China ████████████████████ 38%
Russia ██████████░░░░░░░░░░ 22%
Netherlands ██████░░░░░░░░░░░░░░ 14%
USA ████░░░░░░░░░░░░░░░░ 12%
Germany ███░░░░░░░░░░░░░░░░░ 9%
╠══════════════════════════════════════════════════════════╣
PHANTOM CLOCK — HONEYPOT EFFECTIVENESS
AI Honeypot Avg Dwell : 18m 24s
Canary Hits : 47
Total Dwell Sessions : 93
╚══════════════════════════════════════════════════════════╝
```
#### `profile` —— MINDPRINT 攻击者画像
```
RCDIDN > profile
```
```
╔══════════════════════════════════════════════════════════╗
║ RCDIDN — MINDPRINT BEHAVIORAL PROFILING ENGINE ║
║ Total Unique IPs Profiled : 391 ║
╠══════════════════════════════════════════════════════════╣
[RED] IP : 185.220.101.47 [Russia]
Persona : APT_CANDIDATE
Threat Score : 90/100
Total Hits : 34
First Seen : 2026-03-01T02:14:33
Last Seen : 2026-03-14T11:47:02
ISP : Selectel Ltd
[YEL] IP : 45.33.32.156 [USA]
Persona : BOTNET_NODE
Threat Score : 85/100
Total Hits : 12
Tools Used : Masscan
ISP : Linode LLC
[GRN] IP : 66.240.192.138 [USA]
Persona : RESEARCHER
Threat Score : 20/100
Total Hits : 3
Tools Used : Shodan
ISP : Shodan.io
╚══════════════════════════════════════════════════════════╝
```
| 角色 | 分数 | 含义 |
|---------|-------|---------|
| `APT_CANDIDATE` | 90 | 手动侦察,命中次数 ≥ 10,无自动化工具 |
| `BOTNET_NODE` | 85 | 时钟驱动 —— 间隔方差 < 5s² |
| `PERSISTENT` | 70 | 重复命中次数 ≥ 3,半手动 |
| `SCRIPTKIDDIE` | 50 | 检测到已知扫描器工具 |
| `RESEARCHER` | 20 | Shodan/Censys —— 不自动封禁 |
#### `dwelltime` —— PHANTOM CLOCK 分析
```
RCDIDN > dwelltime
```
```
╔══════════════════════════════════════════════════════════╗
║ RCDIDN — PHANTOM CLOCK DWELL TIME ANALYSIS ║
╠══════════════════════════════════════════════════════════╣
Total AI Sessions : 93
Total Tarpit Sessions : 298
AI Avg Dwell Time : 18m 24s
Longest AI Session : 1h 2m 11s
Avg Commands / Session : 14.7
Most Typed Command : 'cat /etc/passwd' (312x total)
Engagement Rate (> 1 min): 78.5%
╠══════════════════════════════════════════════════════════╣
COMPARISON: AI HONEYPOT vs STATIC TARPIT
AI Honeypot Avg : 18m 24s
Static Tarpit Avg : 3m 8s
LLM Effectiveness : 5.9x longer than tarpit
╚══════════════════════════════════════════════════════════╝
```
#### `canary` —— MIRAGE DROP 命中追踪器
```
RCDIDN > canary
```
```
╔══════════════════════════════════════════════════════════╗
║ RCDIDN — MIRAGE DROP CANARY HIT TRACKER ║
╠══════════════════════════════════════════════════════════╣
Total Canary Hits : 47
Unique Attacker IPs : 31
Last Hit : 2026-03-14T11:47:02
RECENT HITS:
2026-03-14T11:47:02 185.220.101.47 [Russia] → .env
2026-03-14T09:33:18 45.33.32.156 [USA] → database.json
2026-03-13T22:14:05 91.108.4.71 [Germany] → config.yaml
╚══════════════════════════════════════════════════════════╝
```
#### `report` —— 生成 HTML 威胁报告
```
RCDIDN > report
```
```
[+] Generating threat intelligence report...
[+] Analyzed 2,847 log entries
[+] Report saved : rcdidn_report_20260314_135200.html
[+] Open in any browser to view the visualizations.
```
### 新颖研究功能
#### `temporal` —— 检查时间配置文件
```
RCDIDN > temporal
```
```
[+] Current Temporal Profile: RANDOM_CHAOS
Available profiles: off, random_chaos, busy_server, tarpit_extreme
Usage: temporal profile
```
#### `temporal profile ` —— 切换配置文件
```
RCDIDN > temporal profile busy_server
```
```
[+] Temporal Deception Grid set to: BUSY_SERVER
```
| 配置文件 | 延迟 | 效果 |
|---------|-------|--------|
| `random_chaos` | 0.1–5.0s | 摧毁扫描器时间模型 |
| `busy_server` | 2.0–4.0s | 模拟高负载生产服务器 |
| `tarpit_extreme` | 10.0–20.0s | 耗尽扫描器连接池 |
| `off` | 0s | 禁用 |
#### `mirror` —— DARK MIRROR
```
RCDIDN > mirror
```
```
[*] Launching Dark Mirror in background (Port 8080)...
[+] Dark Mirror active. Reflecting payloads back to senders.
```
#### `economics` —— HONEYPOT ECONOMICS
```
RCDIDN > economics
```
```
╔══════════════════════════════════════════════════════════╗
║ RCDIDN — HONEYPOT ECONOMICS (DAMAGE) ║
╠══════════════════════════════════════════════════════════╣
Total Attacker Sessions Trapped : 391
Total Attacker Time Wasted : 120.40 Hours
Estimated Financial Damage : $6,020.00 USD
╚══════════════════════════════════════════════════════════╝
```
#### `pheromone deploy` —— 部署诱饵文件
```
RCDIDN > pheromone deploy
```
```
[+] Deployed 5 Digital Pheromone bait files.
```
| 诱饵文件 | 攻击者看到的内容 |
|-----------|-------------------|
| `robots.txt` | 虚假的 `.env` 和备份 zip 引用 |
| `info.php` | 带有 DB 错误的虚假 phpinfo() |
| `README_INTERNAL.txt` | 虚假的备份位置提示 |
| `backup_2024_prod.zip` | 触发扫描器的空 ZIP |
| `index.html_comment` | 隐藏的管理面板注释 |
#### `ghostnet` —— GHOST NETWORK
```
RCDIDN > ghostnet
```
```
[*] Launching Ghost Network in background (Port 4444)...
[+] Ghost Network active. Simulating high-value target on port 4444
```
#### `evidence collect` —— 收集取证证据
```
RCDIDN > evidence collect
```
```
[+] Regulatory Trap evidence bundle created for: ALL_EVIDENCE
[-] Report : ~/.sys_meta_rcdidn/legal_evidence/Evidence_Report_20260314.txt
[-] Bundle : ~/.sys_meta_rcdidn/legal_evidence/Evidence_Bundle_20260314.zip
[-] Password: ~/.sys_meta_rcdidn/legal_evidence/Evidence_Bundle_20260314.zip.password.txt
[!] ZIP and password file are only readable by owner (chmod 600)
```
#### `evidence report` —— 生成主管机构报告
```
RCDIDN > evidence report idcert
[+] Regulatory Trap evidence bundle created for: idcert
RCDIDN > evidence report bssid
[+] Regulatory Trap evidence bundle created for: bssid
RCDIDN > evidence report interpol
[+] Regulatory Trap evidence bundle created for: interpol
```
### 系统与 AI 密钥
#### `test` —— 运行自检套件
```
RCDIDN > test
```
```
[=== RCDIDN SELF-TEST SUITE — V1.0 HACKER KILLER ===]
[PASS] Test 1 : AES-256-GCM encrypt → decrypt round-trip
[PASS] Test 2 : MIRAGE DROP canary generation
[PASS] Test 3 : PBKDF2HMAC Key derivation (deterministic, unique, AES-256-GCM compatible)
[PASS] Test 4 : Structured JSON logging
[PASS] Test 5 : Encrypted Shadow manifest save → load
[PASS] Test 6 : Wrong password correctly raises InvalidTag (AES-GCM Authenticated)
Result : 6/6 tests passed
[OK] ALL TESTS PASSED — RCDIDN IS MILITARY-GRADE READY
```
#### `status` —— 系统状态
```
RCDIDN > status
```
```
[=== RCDIDN V1.0 HACKER KILLER — SYSTEM STATUS ===]
[+] Shadow Manifest : Found (Encrypted Blob)
[+] Vault Files : 3
[+] IPS Daemon PID : 14821 (running)
[+] Log Entries : 2,847 (284.3 KB)
[+] PHANTOM CLOCK : 93 session(s) recorded
```
#### `setkey` —— 设置 AI 提供商 + API 密钥
```
RCDIDN > setkey
```
```
[AI HONEYPOT CONFIGURATION]
Select your preferred AI Provider:
1) Gemini (Google) - Default
2) OpenAI (ChatGPT)
3) Anthropic (Claude)
4) DeepSeek
Choice (1-4) [default: 1]: 1
[AI HONEYPOT] Enter your GEMINI API key.
API Key: AIzaSyABCDEF...
[+] API key and provider saved to /root/.bashrc
[+] AI Honeypot ACTIVATED via GEMINI | Key: AIzaSyAB****xyz1
[+] Run 'ips start' to launch AI Interrogator on port 2323
```
#### `aikey` —— 检查 AI 密钥状态
```
RCDIDN > aikey
```
密钥激活时:
```
[AI HONEYPOT] Status : ACTIVE | Provider : GEMINI
[AI HONEYPOT] Key : AIzaSyAB****xyz1 | Port 2323 ready
```
无密钥时:
```
[AI HONEYPOT] Status : INACTIVE (no RCDIDN_AI_KEY set)
[AI HONEYPOT] Tip : type 'setkey' to configure your preferred AI provider
```
#### `exit` —— 退出 commander
```
RCDIDN > exit
```
## CLI 参考
```
python3 rcdidn.py -h # Show full help and usage examples
python3 rcdidn.py --run # Vault all sensitive files immediately
python3 rcdidn.py --restore # Restore all files from vault
python3 rcdidn.py --status # System status: vault, daemon, logs
python3 rcdidn.py --test # Run self-test suite (all 6 must pass)
python3 rcdidn.py --stats # ASCII threat intelligence dashboard
python3 rcdidn.py --report # Generate HTML threat report
sudo python3 rcdidn.py --install # Install as systemd service (Linux)
sudo python3 rcdidn.py --uninstall # Remove systemd service (Linux)
```
## 设置 AI 蜜罐(多提供商)
AI Interrogator(端口 2323)和 PHANTOM CLOCK 驻留测量需要 LLM API 密钥。**该密钥完全是可选的** —— 38 项功能中有 37 项无需它即可工作。
**步骤 1 —— 从您选择的提供商处获取 API 密钥**
| # | 提供商 | 链接 | 免费层级 |
|---|----------|------|-----------|
| 1 | **Gemini**(默认) | [aistudio.google.com/apikey](https://aistudio.google.com/apikey) | ✅ 是 |
| 2 | **OpenAI** | [platform.openai.com/api-keys](https://platform.openai.com/api-keys) | ❌ |
| 3 | **Anthropic (Claude)** | [console.anthropic.com](https://console.anthropic.com) | ❌ |
| 4 | **DeepSeek** | [platform.deepseek.com](https://platform.deepseek.com) | ❌(非常便宜) |
**步骤 2 —— 设置提供商 + 密钥(推荐方法)**
```
RCDIDN > setkey
[AI HONEYPOT CONFIGURATION]
Select your preferred AI Provider:
1) Gemini (Google) - Default
2) OpenAI (ChatGPT)
3) Anthropic (Claude)
4) DeepSeek
Choice (1-4) [default: 1]: 1
[AI HONEYPOT] Enter your GEMINI API key.
API Key: AIzaSyABCDEF...
[+] API key and provider saved to ~/.bashrc
[+] AI Honeypot ACTIVATED via GEMINI | Key: AIzaSyAB****xyz1
[+] Run 'ips start' to launch AI Interrogator on port 2323
```
**步骤 3 —— 启动所有蜜罐**
```
RCDIDN > ips start
[+] HoneyPort 'AI-Interrogator' active on port 2323 [AI] (max 200 threads)
[+] HoneyPort 'Fake-SSH' active on port 2222 [TARPIT] (max 200 threads)
[+] HoneyPort 'Fake-MySQL' active on port 3306 [TARPIT] (max 200 threads)
[+] GHOST NETWORK active on port 4444 — simulating 10 fake hosts
```
## 24/7 自动运行设置
### Linux —— systemd(推荐)
```
sudo python3 rcdidn.py --install
systemctl status rcdidn # verify running
journalctl -u rcdidn -f # live log stream
systemctl restart rcdidn # manual restart
sudo python3 rcdidn.py --uninstall # remove service
```
### Linux —— crontab(替代方案)
```
crontab -e
# 添加:
@reboot sleep 15 && python3 /root/rcdidn.py --ips_daemon
```
### Windows —— Task Scheduler
1. 搜索 "Task Scheduler" → 创建基本任务
2. 触发器:**计算机启动时**
3. 操作:**启动程序** → `python`
4. 参数:`C:\path\to\rcdidn.py --ips_daemon`
5. ✅ 无论用户是否登录都要运行
6. ✅ 使用最高权限运行
### macOS —— launchd
```
sudo launchctl load /Library/LaunchDaemons/com.rcdidn.plist
```
## 文件位置
| 路径 内容 |
|------|---------|
| `~/.rcdidn_vault/` | 所有加密文件(`*.enc`) |
| `~/.sys_meta_rcdidn/sys_crypto_salt.bin` | PBKDF2HMAC 的密码学盐 —— 绝非密码 |
| `~/.sys_meta_rcdidn/sys_kern_meta.log` | 主要结构化 JSON 日志(兼容 SIEM) |
| `~/.sys_meta_rcdidn/phantom_clock.log` | PHANTOM CLOCK 驻留会话 |
| `~/.sys_meta_rcdidn/canary_hits.log` | MIRAGE DROP 金丝雀访问日志 |
| `~/.sys_meta_rcdidn/dark_mirror.log` | DARK MIRROR 攻击者操作系统和工具画像 |
| `~/.sys_meta_rcdidn/economics.log` | HONEYPOT ECONOMICS 计算历史 |
| `~/.sys_meta_rcdidn/pheromone.log` | DIGITAL PHEROMONE 诱饵命中记录 |
| `~/.sys_meta_rcdidn/ghost_network.log` | GHOST NETWORK 跳转尝试记录 |
| `~/.sys_meta_rcdidn/legal_evidence/` | REGULATORY TRAP —— 证据 ZIP + 密码文件(均受 `chmod 600` 保护) |
| `./core_system_map.bin` | Encrypted Shadow Manifest(每个项目目录) |
| `./rcdidn_web.log` | PHP Sentinel Web 事件日志(与保险库日志分开) |
## 常见问题解答
**问:运行 RCDIDN 需要任何技术知识吗?**
不需要。`pip install cryptography` 然后运行 `python3 rcdidn.py` 就是整个安装过程。Commander shell 会指导您完成之后的所有操作。
**问:我需要 AI API 密钥吗?**
不需要。38 项功能中有 37 项无需任何密钥即可工作。AI Interrogator 会回退到令人信服的静态响应。随时输入 `setkey` 以激活 AI 模式并选择您的提供商:Gemini(免费)、OpenAI、Anthropic Claude 或 DeepSeek。
**问:RCDIDN 会拖慢我的服务器吗?**
不会。IPS 守护进程在空闲时使用极少的 CPU。蜜罐端口仅在连接时激活。端口 80/443 上的正常 HTTP/HTTPS 流量完全不受影响。
**问:如果我忘记了主密码怎么办?**
根据设计,没有恢复机制。RCDIDN 使用带有 Zero-Knowledge 密钥派生的 True AES-256-GCM —— 密码从不存储在磁盘的任何地方。首次设置后立即将其写下并存储在密码管理器中。
**问:僵尸网络会淹没蜜罐并使我的服务器崩溃吗?**
不会。每个蜜罐端口都有一个 `threading.Semaphore(200)` 硬性限制。超过 200 个并发连接将被干净地丢弃。Tarpit 会话在 1 小时后自动过期。内存中封禁 IP 集上限为 10,000 条。
**问:虚假勒索软件 Sentinel 页面合法吗?**
合法。在您自己的服务器上向自动化攻击工具显示欺骗性页面是合法的,并且是一种已发布的、公认的蜜罐技术。您是在响应探测您基础设施的自动化扫描器 —— 而不是欺骗人类用户。
**问:我可以使用 VSCode 调试按钮吗?**
不可以 —— 绝对不行。VSCode 的调试器会激活 `sys.gettrace()`,这会在启动时触发 RCDIDN 的反调试自毁。请务必仅从终端运行。
**问:RCDIDN 使用哪些端口?**
`2222`(虚假 SSH tarpit)、`2323`(AI Interrogator 蜜罐)、`3306`(虚假 MySQL tarpit)、`4444`(Ghost Network)。
**问:如何向当局举报真实攻击者?**
运行 `evidence collect` 然后运行 `evidence report interpol`(国际)或 `evidence report idcert`(印度尼西亚)。输出是格式化的投诉附件加上受 `chmod 600` 保护的取证 ZIP。
**问:RCDIDN 会产生巨额 API 账单吗?**
不会。每个会话无论提供商如何都硬性上限为 100 次 API 调用。达到上限后,RCDIDN 使用静态回退响应。在 `rcdidn.py` 顶部调整 `MAX_AI_CALLS_PER_SESSION` 以设置更低的限制。如需零成本,请使用 Google Gemini —— 它拥有慷慨的免费层级,足以舒适地覆盖蜜罐使用。
## 许可证与致谢
RCDIDN V1.0 — HACKER KILLER 由 **Muhamad Fadhil Faturohman** 创建。
在 **MIT License** 下授权。
```
MIT License
Copyright (c) 2026 Muhamad Fadhil Faturohman
RCDIDN V1.0 — HACKER KILLER (Radioactive Cognitive Data Indonesia)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in ALL copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED.
```
**您可以自由地:**
- ✅ 用于个人、教育、研究和商业目的
- ✅ 自由修改和分发
- ✅ 包含在开源或闭源产品和服务中
**一条不可放弃的规则:**
主动防御系统 —— 将您的服务器变成黑客陷阱机器
Radioactive Cognitive Data Indonesia —— 防御安全系统
由 Muhamad Fadhil Faturohman 创建
*"Every server touched by RCDIDN becomes a research laboratory.*
*Every attacker becomes a data point. Every attack becomes knowledge."*
— Muhamad Fadhil Faturohman
联系方式 : muhamadfadhilfaturohman@gmail.com
标签:AES-256加密, CISA项目, MIT防御框架, PE 加载器, Python, 单文件应用, 威胁情报, 开发者工具, 无后门, 网络安全, 蜜罐, 证书利用, 隐私保护, 黑客陷阱