Five Popular Bastion Hosts Compared – Why Ops Need Them and a Step‑by‑Step JumpServer Deployment Guide

Operations teams often receive frantic midnight calls about accidental deletions, such as rm -rf /, with no way to trace who executed the command. Without a bastion host, dozens of engineers hold server passwords, making accountability impossible.

A bastion host, formally an "operations security audit system," acts as a mandatory gateway for all server access. It centralizes authentication, authorization, account management, and audit (the 4A framework), providing unified login, fine‑grained permission control, password vaulting, and full session recording. Compliance standards like GB/T 22239‑2021 and ISO 27001 treat bastion hosts as required components.

Commonly Used Bastion Hosts

JumpServer – Leading Open‑Source Solution

Supports SSH, RDP, VNC, SFTP, MySQL/PostgreSQL/MariaDB, and Kubernetes.

Micro‑service architecture (Core, Koko, Lion, Magnus, XRDP).

Full 4A capabilities with RBAC, command filtering, and session replay.

Multiple deployment options: one‑click script, Docker‑Compose, Helm, offline package.

Active community (tens of thousands of GitHub stars) and cluster deployment support.

Teleport – Cloud‑Native Unified Access Platform

Zero‑trust model: default deny, all connections must be authenticated.

Unified proxy for SSH, Kubernetes, databases, and web apps.

Short‑lived TLS/SSH certificates replace static passwords.

Fine‑grained policies based on role, time, IP, etc.

Managed Cloudflare version and on‑premise enterprise edition.

Apache Guacamole – Pure Web Remote‑Desktop Gateway

HTML5‑only client; no software installation required.

Supports RDP, VNC, SSH; extensible.

Lightweight and easy to deploy.

Modular architecture for custom extensions.

Missing fine‑grained permission control, command audit, and session recording.

QiZhi – Compliance‑Focused Commercial Product

Strong out‑of‑the‑box compliance for government, finance, energy sectors.

Rich work‑order approval workflow.

Multiple MFA methods (SMS, hardware token, etc.).

Comprehensive database audit.

Closed source, higher price, less flexible for cloud‑native environments.

Spug – Lightweight Operations Platform with Built‑In Bastion

Simple deployment; suitable for small teams.

Includes configuration management and task orchestration.

Supports basic SSH/RDP.

Limited advanced features (database audit, K8s integration, session recording).

Small community, not ideal for large enterprises.

The comparative table (shown below) evaluates protocol coverage, audit capability, authentication methods, and deployment complexity. JumpServer leads in protocol support, audit depth, and community activity; Teleport excels in zero‑trust and certificate‑based security; Guacamole wins on lightweight client‑less access; QiZhi dominates compliance for regulated sectors; Spug is best for minimal‑footprint teams.

Overall, JumpServer offers the best cost‑performance and broad applicability, which is why the guide focuses on its installation.

JumpServer Installation

Environment Requirements

OS: CentOS 7+, Ubuntu 18.04+, Debian 10+.

CPU: ≥ 2 cores.

Memory: ≥ 8 GB (recommended 16 GB).

Disk: ≥ 60 GB free.

Kernel: ≥ 4.0.

Dependencies: wget, curl, tar, gettext, iptables, python3.

Docker containers are used internally; no manual MySQL/Redis installation needed unless external services are desired.

One‑Click Installation (Recommended for Beginners)

curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.28.8/quick_start.sh | bash

The script downloads the installer to /opt/jumpserver-installer-v2.28.8, pulls Docker images, generates configuration files, and completes the setup automatically.

Standard Deployment (More Control)

Download and extract the installer:

cd /opt
wget https://github.com/jumpserver/installer/releases/download/v2.28.8/jumpserver-installer-v2.28.8.tar.gz
tar -xf jumpserver-installer-v2.28.8.tar.gz
cd jumpserver-installer-v2.28.8

Optionally edit config-example.txt to adjust parameters such as SECRET_KEY (≥ 50 characters), BOOTSTRAP_TOKEN (≥ 24 characters), HTTP_PORT (default 80), SSH_PORT (default 2222), and external DB_HOST / REDIS_HOST.

Run the installer: ./jmsctl.sh install Installation may take several minutes depending on network speed. Completion is indicated by the message The Installation is Complete.

Common Management Commands

Start: ./jmsctl.sh start Stop: ./jmsctl.sh stop Restart: ./jmsctl.sh restart Status: ./jmsctl.sh status Stop all containers: ./jmsctl.sh down Uninstall: ./jmsctl.sh uninstall Configuration resides at /opt/jumpserver/config/config.txt; modify it and restart to apply changes such as HTTPS or custom ports.

Daily Usage Guide

1. Create Users and User Groups

In the backend, navigate to User Management → User List → Create . Fill in username, name, email, phone, and role (admin, auditor, regular). Group users (e.g., DBA, Ops, Development) for easier permission assignment.

2. Add Assets

Go to Asset Management → Asset List → Create and provide a name (e.g., prod-web-01), IP, protocol (SSH/RDP), and port. Optionally organize assets into a tree structure (production, testing, data‑center). Assign the system account (e.g., root or a sudo‑enabled user) that JumpServer will use to log in.

3. Create Authorization Rules

Under Permission Management → Create Authorization Rule , specify the user/group, asset/group, system account, allowed actions, and optional command filters (e.g., block rm -rf or DROP DATABASE). Example: grant the "Ops" group access to all Linux servers under "Production" using the root account while forbidding rm -rf.

4. User Login and Web Terminal

After authorization, users log into JumpServer via a web browser, click Web Terminal , and select an asset. Every command, its output, session video, and login/logout timestamps are recorded. Auditors can replay sessions in Session Management or Audit Center . SSH direct access is also available:

ssh -p 2222 username@jumpserver-ip

5. Batch Connect to Multiple Assets

The web terminal allows selecting multiple assets and opening parallel sessions, useful for bulk checks or log collection.

Summary

Bastion hosts are not optional accessories; they are the security baseline for any operation team. JumpServer, as the most feature‑complete open‑source bastion, offers comprehensive 4A capabilities, active community support, and flexible deployment options that suit both small teams and large enterprises. While Teleport, Guacamole, QiZhi, and Spug each have niche strengths, JumpServer’s overall balance makes it the default choice for most scenarios.