Deployment¶
How to deploy HYDRA on a public VPS for real-world attacker capture.
VPS requirements¶
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 vCPU | 2 vCPU |
| RAM | 1 GB | 2 GB |
| Disk | 10 GB | 20 GB |
| OS | Ubuntu 22.04+ | Ubuntu 24.04 |
| Network | Public IP, port 22 or 2222 open | Dedicated IP |
HYDRA uses the Groq API for LLM inference — no GPU needed on the VPS itself.
Setup¶
1. Server preparation¶
# Update system
sudo apt update && sudo apt upgrade -y
# Install Python
sudo apt install python3 python3-pip python3-venv -y
# Create a dedicated user
sudo useradd -m -s /bin/bash hydra
sudo su - hydra
2. Install HYDRA¶
git clone https://github.com/grizzly2005/hydra-pdx.git
cd hydra-pdx/hydra-honeypot
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
# Edit .env with your Groq API key
3. Port configuration¶
Don't replace real SSH
Run HYDRA on port 2222 and keep real SSH on port 22. Never expose your management SSH on the same port as the honeypot.
# Option A: Run on port 2222 directly
SSH_PORT=2222
# Option B: Use iptables to redirect 22 → 2222
# (move real SSH to another port first!)
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
4. Run as a service¶
Create /etc/systemd/system/hydra.service:
[Unit]
Description=HYDRA SSH Honeypot
After=network.target
[Service]
Type=simple
User=hydra
WorkingDirectory=/home/hydra/hydra-pdx/hydra-honeypot
ExecStart=/home/hydra/hydra-pdx/hydra-honeypot/venv/bin/python src/main.py
Restart=always
RestartSec=10
Environment=PYTHONUNBUFFERED=1
[Install]
WantedBy=multi-user.target
5. Cloudflare tunnel (optional)¶
If you want to expose HYDRA without opening firewall ports:
# Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/
# Create tunnel
cloudflared tunnel create hydra
cloudflared tunnel route dns hydra ssh.yourdomain.com
# Run tunnel
cloudflared tunnel run hydra
6. Environment variables¶
HYDRA's UIs (hydra_ui.py) and unified launcher (launcher.py) read their deployment configuration from environment variables, so no credentials are hardcoded in the code.
| Variable | Default | Purpose |
|---|---|---|
HYDRA_VPS_IP | 127.0.0.1 | Public IP or DNS of your HYDRA instance |
HYDRA_VPS_USER | hydra | SSH user on the VPS |
HYDRA_VPS_PATH | /home/$HYDRA_VPS_USER/hydra | Absolute path to the HYDRA install on the VPS |
GROQ_API_KEYS | (none) | Comma-separated Groq API keys |
Recommended: .env file
Create a .env at the repo root (gitignored by default):
HYDRA_VPS_IP=1.2.3.4
HYDRA_VPS_USER=hydra
HYDRA_VPS_PATH=/home/hydra/hydra
GROQ_API_KEYS=gsk_xxx,gsk_yyy
Source it before running the UI or launcher:
Convenience wrappers
To avoid sourcing manually every time:
cat > run-ui.sh << 'EOF'
#!/bin/bash
cd "$(dirname "$0")"
set -a; [ -f .env ] && source .env; set +a
exec python3 hydra_ui.py "$@"
EOF
chmod +x run-ui.sh
Same for run-launcher.sh with launcher.py. Then just run ./run-ui.sh or ./run-launcher.sh sync download.
Warning
Never commit .env. It is in .gitignore by default.
Collecting data¶
Sync logs to local machine¶
# From your local machine
rsync -avz hydra@your-vps:/home/hydra/hydra-pdx/hydra-honeypot/logs/ ./logs/
Process with PDX¶
cd pdx
python -m pdx.training.data_router split --logs-dir ../logs
python -m pdx.training.data_router generate --all
Security considerations¶
Ethical disclosure
All decoy credentials (AWS keys, Solana keypairs, database passwords) are fictional and non-functional. They cannot be used to access any real system. This is mandatory for responsible honeypot operation.
- Never store real credentials in persona files
- Rotate Groq API keys regularly
- Monitor VPS resource usage (LLM API costs)
- Review logs for unexpected behavior
- Keep the real SSH management port firewalled to your IP only