Bastionhost is an operations and maintenance (O&M) and security audit platform that centralizes privileged access control, enforces least-privilege permissions, and records every session—giving your organization a complete, auditable record of who did what, when, and on which asset.
Available in Basic Edition, Enterprise Edition, and SM Edition.
Who should use Bastionhost
IT administrators who need a single place to grant and revoke access to servers, databases, and other assets across the organization.
Security engineers who need full audit trails, session recordings, and real-time interception of high-risk operations to meet compliance requirements such as classified protection.
O&M engineers who want streamlined, secure access to authorized assets without managing SSH keys or shared passwords.
How it works
Users authenticate through Bastionhost using two-factor authentication.
Bastionhost checks their permissions and presents only the assets they are authorized to access.
Users connect to the target asset through Bastionhost.
All operations are recorded in real time. Administrators can replay sessions and review text-based audit records for any O&M event.
Benefits
Unified portal for O&M
Bastionhost acts as the single entry point for all asset access, shrinking the attack surface. Instead of opening direct connections to each server, users access all authorized resources through one portal—reducing both security exposure and the operational overhead of managing individual access paths.
Two-factor authentication
Beyond passwords, Bastionhost requires a second authentication factor: text messages, emails, DingTalk work messages, OTP tokens, and SM USB keys. This prevents unauthorized access even when account credentials are compromised, defending against both password leakage and brute-force attacks.
Fine-grained permission assignment
Permissions are defined at the intersection of user, asset, and asset account. A user can only reach the specific assets and accounts they are explicitly authorized for—nothing more. Centralized permission management makes it straightforward to update access across the entire environment.
Security protection for asset credentials
Bastionhost rotates asset passwords automatically and supports passwordless logon through credential hosting. This reduces the exposure of passwords to O&M personnel, lowering the risk of passwords being copied, shared, or leaked during routine maintenance.
Continuous monitoring of O&M operations
High-risk commands—such as rm -rf /* and disk formatting—are intercepted in real time before they execute. File upload and download operations can be restricted. For business-sensitive assets, you can enable secondary approval for O&M operations, giving administrators direct control over sensitive operations before they run.
Visualized audit for event tracing
Every O&M session is captured as both a session recording and a text-based audit record. Administrators can replay the full operation sequence as a video, making it straightforward to trace exactly what happened during any incident, satisfy audit requests, and meet classified protection requirements.