Skip to content

Deployment

How to deploy HYDRA on a public VPS for real-world attacker capture.

VPS requirements

Resource Minimum Recommended
CPU 1 vCPU 2 vCPU
RAM 1 GB 2 GB
Disk 10 GB 20 GB
OS Ubuntu 22.04+ Ubuntu 24.04
Network Public IP, port 22 or 2222 open Dedicated IP

HYDRA uses the Groq API for LLM inference — no GPU needed on the VPS itself.

Setup

1. Server preparation

# Update system
sudo apt update && sudo apt upgrade -y

# Install Python
sudo apt install python3 python3-pip python3-venv -y

# Create a dedicated user
sudo useradd -m -s /bin/bash hydra
sudo su - hydra

2. Install HYDRA

git clone https://github.com/grizzly2005/hydra-pdx.git
cd hydra-pdx/hydra-honeypot

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

cp .env.example .env
# Edit .env with your Groq API key

3. Port configuration

Don't replace real SSH

Run HYDRA on port 2222 and keep real SSH on port 22. Never expose your management SSH on the same port as the honeypot.

# Option A: Run on port 2222 directly
SSH_PORT=2222

# Option B: Use iptables to redirect 22 → 2222
# (move real SSH to another port first!)
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

4. Run as a service

Create /etc/systemd/system/hydra.service:

[Unit]
Description=HYDRA SSH Honeypot
After=network.target

[Service]
Type=simple
User=hydra
WorkingDirectory=/home/hydra/hydra-pdx/hydra-honeypot
ExecStart=/home/hydra/hydra-pdx/hydra-honeypot/venv/bin/python src/main.py
Restart=always
RestartSec=10
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target

sudo systemctl enable hydra
sudo systemctl start hydra
sudo systemctl status hydra

5. Cloudflare tunnel (optional)

If you want to expose HYDRA without opening firewall ports:

# Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/

# Create tunnel
cloudflared tunnel create hydra
cloudflared tunnel route dns hydra ssh.yourdomain.com

# Run tunnel
cloudflared tunnel run hydra

Collecting data

Sync logs to local machine

# From your local machine
rsync -avz hydra@your-vps:/home/hydra/hydra-pdx/hydra-honeypot/logs/ ./logs/

Process with PDX

cd pdx
python -m pdx.training.data_router split --logs-dir ../logs
python -m pdx.training.data_router generate --all

Security considerations

Ethical disclosure

All decoy credentials (AWS keys, Solana keypairs, database passwords) are fictional and non-functional. They cannot be used to access any real system. This is mandatory for responsible honeypot operation.

  • Never store real credentials in persona files
  • Rotate Groq API keys regularly
  • Monitor VPS resource usage (LLM API costs)
  • Review logs for unexpected behavior
  • Keep the real SSH management port firewalled to your IP only