SkyEye
Commands

SkyEye Threat Defense

SkyEye stands in front of your application and bans attackers before your server ever hears from them. One binary, on your machine, not on someone else's cloud.

It knows 264 attacks by name.

Leaked secrets. Stolen keys. Hidden backdoors. SkyEye recognizes every classic move on first contact and closes the door before it opens.

Disguises come off at the door.

Attackers wrap exploits in layer after layer of encoding to slip past filters. SkyEye peels every layer, in the path and in the query string, and judges what's underneath. The disguise itself is what gives them away.

One probe. Seven days banned.

Most servers forgive and forget. SkyEye remembers. A single wrong move costs the attacker a full week. No warnings. No second chances.

Come back, and it gets worse.

A second offense costs two weeks. A third costs a month. SkyEye keeps the record for ninety days. Scanners that plan to wait out their sentence find a longer one waiting.

New tricks don't work here.

SkyEye reads behavior, not just signatures. Thirty suspicious not-founds in a minute reads as a scan, even with an attack no one has seen before.

Flood it, and you're gone.

Every visitor gets a fair pace. Cross it and SkyEye slows you down. Abuse it and you stop being a visitor. The door closes for an hour.

Real visitors never feel it.

A broken image link never bans a customer. An office sharing one IP never trips the alarm. And your own address can be made untouchable with a single line of config. Permanently, across restarts.

Attackers scan every server
on the internet.

They only remember the one
that
banned them.

It's a security gateway.

Not a filter you bolt onto your proxy. SkyEye is the guarded front door itself. It owns the port, terminates the connection, and forwards only clean traffic to your app. The protection comes for free because nothing reaches your server any other way.

Built for backends, not websites.

If it runs on a port, SkyEye stands in front of it: APIs, app servers, microservices, WebSocket services. If your site is files on a disk, that's a web server's job. SkyEye guards applications. It doesn't host pages.

It fronts your app, like a reverse proxy.

Path routing, WebSocket support, request limits, real client IPs. For a typical reverse-proxy setup it does the front-door job nginx was doing, in one binary with a config a human can actually read.

HTTPS handles itself.

Point your domain at the server and SkyEye fetches its certificate from Let's Encrypt on the first request, then renews it forever. No certbot, no cron jobs, no expired-certificate outages at 3am.

Route by path to any backend.

Send /livekit to one service, everything else to your app, cap the upload route at 50MB, inject a header on another. A few lines of readable config, applied live.

One app, three servers? Balanced.

List several servers on a route and SkyEye spreads your visitors across them. A server that stops answering is taken out of rotation, and its traffic flows to the others until it recovers. No health checks to configure, no extra software.

Long connections stay open.

WebSockets and live event streams are first-class. Signaling, driver events, passenger listeners. They hold for hours without being cut, and every byte is flushed through the moment it arrives.

Your terminal is the dashboard.

No web panel to secure. No login to leak. SkyEye is administered through a local socket that never touches the network. It answers to the person at the keyboard of that machine, and no one else.

skyeye status

Live counters at a glance. Uptime, active bans grouped by reason, and the size of every tracker. One command tells you the whole state of the wall.

skyeye stats

Traffic totals, requests per second, and the leaderboards. Top requesters, top 404 sources, top repeat offenders. The black box becomes a glass one.

skyeye bans

Every active ban with its ID, target, time remaining and reason. IPv6 entries show the whole /64 block they cover.

skyeye ban

You spot an abuser in the logs. Ban them by hand, without waiting for a rule to trip. Durations the way you think them. Plain seconds, 30m, 2h, 7d. Manual bans always apply exactly what you typed.

skyeye check

The full story of one address. Banned or not, why, until when, its offense history and how it behaves right now. The command you reach for when someone says they're blocked.

skyeye unban

Lift any ban by ID or by address. It forgives the offense history too, so a wrongly banned visitor never faces escalation for your mistake.

skyeye reload

Thresholds, ban lengths and the never-ban allowlist live in one config file. Edit it, reload, and the new rules apply between one request and the next, with zero dropped connections and zero restarts.

skyeye stop

Graceful shutdown that cleans up after itself. No PID hunting, nothing left behind. Restarting clears every ban. The ultimate undo button.

One binary. The whole arsenal.

264 attack paths recognized on first contact. Ninety days of offense memory. Zero dependencies, zero databases, zero accounts, zero third parties. Everything that follows ships in a single file.

Signature blocklist, preprocessed.

Env files, git internals, SSH keys, cloud credentials, database dumps, webshells, admin panels, WordPress probes. All compiled at startup into a constant-time lookup, so recognition costs nothing per request.

Encoding tricks, unwrapped.

Percent-encoding is peeled layer by layer until the request stops changing. The double-encoded tricks that slide past naive filters are precisely what gets caught here.

Query strings, inspected.

Probes don't ride in on parameters either. A page parameter reaching for a traversal path is decoded, read, and banned like the attack it is.

Scanners betrayed by their own guessing.

Zero-day tools give themselves away by probing. Thirty suspicious misses a minute, or 120 of any kind, reads as a scan with no signature required. Your own broken asset links never count.

Rate limiting that stays fair.

A sliding 60-second window with a hard abuse line. Static assets are exempt, so an image-heavy page loaded by a whole office behind one IP punishes no one.

Sentences that escalate.

The first automatic ban lasts a week, the second two weeks, the third a month. Manual bans always honor your exact duration. The machine escalates, the operator decides.

IPv6 done right.

Bans cover the attacker's whole /64 block. Rotating through trillions of neighbouring addresses buys exactly nothing.

Proxy-aware, spoof-proof.

Behind Cloudflare or nginx, one flag honors real client IPs, read from the trusted end of the forwarding chain, so a forged header can't frame someone else or save the attacker.

Logs built for grep.

Every ban, block and rate-limit is one structured line on your disk. Sensitive query data is deliberately never written, so your logs can't leak what they don't contain.

Nothing left behind.

All state lives in memory. Stop it and the socket is cleaned up. Restart it and every questionable ban is forgiven. Delete the binary and SkyEye was never here. That's the whole uninstall guide.

And this is all attackers ever get.

No error page to fingerprint. No server to probe. Just a closed door, a reason, and a date one week away.