eastbaycyber

Jump Server (Bastion Host): Definition, How It Works, and When You’ll Use One

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

A jump server (often called a bastion host) is a tightly controlled system that serves as the approved entry point for administrators to access servers and services in a restricted network segment. It reduces exposure by preventing direct inbound admin access to private hosts and provides a single place to enforce authentication, authorization, and auditing.

A jump server (also called a bastion host) is a hardened gateway that centralizes privileged access to systems inside private or segmented networks. Instead of exposing SSH/RDP/WinRM to every server, you access internal resources through a controlled chokepoint where you can enforce MFA, tight authorization, and audit logging.

How a jump server works

At a high level, a jump server sits at the boundary between an admin’s workstation and protected internal resources. Instead of opening SSH/RDP/WinRM directly to every server, you allow those management protocols only from the jump server (or via it). This concentrates risk and control in one place.

Common architectures

1) Two-hop access (classic bastion)

  • Admin connects to the jump server over SSH or RDP.
  • From the jump server, the admin connects onward to internal targets (Linux via SSH, Windows via RDP/WinRM, network devices via SSH, etc.).

Use this when you need a simple, understandable model and can accept interactive access on the jump host.

2) Proxy-style access (no interactive shell on the jump host)

  • The jump server acts as a relay or gateway (SSH ProxyJump, RDP Gateway, reverse proxy for admin consoles).
  • The admin may never get a full desktop/shell on the jump system; traffic is proxied and logged.

This reduces attack surface because the “jump” is a service, not a general-purpose workstation.

3) Brokered access with PAM (Privileged Access Management)

  • A PAM system issues time-bound access, injects credentials, and records sessions.
  • The “jump” function becomes an access broker, often with session recording and approval workflows.

If you’re aligning to Zero Trust principles, this is usually closer to the model you want than a long-lived shared jump box.

What security controls a jump server typically enforces

A jump server is valuable because it’s a chokepoint where you can consistently apply controls:

  • Strong authentication: MFA, device certificates, SSO integration, and conditional access policies.
  • Authorization: allowlisting which users/groups may reach which target hosts/ports; time-based or ticket-based access.
  • Network segmentation: internal servers accept management traffic only from the jump server’s IP(s).
  • Logging and auditing: centralized logs, session metadata, and ideally keystroke/session recording (especially for privileged access).
  • Hardening: minimal software, restricted admin tools, patched OS, endpoint protection, and reduced outbound internet access.
  • Secrets hygiene: avoiding stored static admin passwords on endpoints; using ephemeral credentials or vault checkout.

If you’re evaluating your broader endpoint control stack, this pairs well with strong endpoint protection on both admins and jump hosts. (Related: see our Windows endpoint security comparison at best antivirus for windows business endpoints 2026.)

SSH jump server patterns (technical examples)

# ~/.ssh/config
Host jump
  HostName jump.example.com
  User adminuser
  IdentityFile ~/.ssh/id_ed25519
  ForwardAgent no

Host internal-*
  User ops
  ProxyJump jump

Then connect as usual:

ssh internal-db01

One-off command without SSH config

ssh -J adminuser@jump.example.com ops@10.20.30.40

Hardening SSH on the jump server (example settings)

# /etc/ssh/sshd_config (illustrative)
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
AllowUsers adminuser opsuser
X11Forwarding no
AllowTcpForwarding yes
PermitTunnel no
ClientAliveInterval 300
ClientAliveCountMax 2
LogLevel VERBOSE

Network policy idea (simple, effective)

  • Permit inbound SSH/RDP to the jump server only from known admin networks (or via VPN / conditional access).
  • Permit outbound SSH/RDP/WinRM from the jump server to internal subnets.
  • Deny direct inbound management access to internal hosts from anywhere else.

Logging and monitoring: what to look for

Linux SSH auth logs (paths vary)

  • Debian/Ubuntu: /var/log/auth.log
  • RHEL/CentOS/Fedora: /var/log/secure

Common SSH events:

  • Successful login:
  • Accepted publickey for <user> from <ip> port <n> ssh2
  • Failed login:
  • Failed password for <user> from <ip> port <n> ssh2
  • Suspicious scanning:
  • repeated failures across many usernames from the same source IP

Quick triage:

# Top sources hitting SSH
sudo awk '/sshd/ && /Failed|Accepted/ {print $(NF-3)}' /var/log/auth.log | sort | uniq -c | sort -nr | head

# Show successful logins with source IP
sudo grep "Accepted" /var/log/auth.log | tail -n 50

Windows jump servers (RDP “jump boxes”)

On Windows-based jump servers you’ll typically monitor:

  • RemoteInteractive (RDP) logons
  • Account lockouts and unusual failed logon patterns
  • New services, scheduled tasks, and PowerShell activity

Exact event IDs and telemetry sources vary by configuration; prioritize: establish a baseline, then alert on deviations.

When you’ll encounter (and use) a jump server

1) Segmented enterprise networks (prod vs. corp)

In many orgs, production networks are isolated from user networks. Admins cannot reach production servers directly from their laptops. A jump server (or a fleet of them) becomes the sanctioned bridge:

  • Corp network → jump server in management subnet → production servers
  • Often paired with change-management or ticketing requirements

2) Cloud environments with private subnets

In AWS/Azure/GCP, critical workloads frequently live in private subnets with no public IPs. You’ll see:

  • Bastion hosts in a public subnet (older pattern)
  • Or private access methods (VPN/DirectConnect/ExpressRoute + internal jump hosts)
  • Proxy/broker services that reduce the need for public-facing bastions

3) Regulated industries and audit-heavy environments

Jump servers are common in finance, healthcare, and critical infrastructure because they support:

  • Strong access control for privileged users
  • Centralized audit trails for administrative actions
  • Separation of duties (e.g., approval before access)

4) MSP/IT admin operations and SMB “good enough” security

Managed service providers and SMB IT teams often adopt jump boxes to:

  • Avoid opening RDP/SSH to the internet for every client/server
  • Standardize tooling and logging
  • Reduce lateral movement opportunities if an admin workstation is compromised

Practical note: if your admins still rely on memorized or reused credentials, a password manager helps reduce the chance that the jump server becomes the “keys to everything.” See our guide: password manager for small business 2026.

5) Incident response and containment scenarios

During an incident, teams may temporarily force all admin access through a jump host to:

  • Limit attacker movement
  • Capture better forensic evidence (session logs)
  • Control which tools touch affected systems

If you’re doing this mid-incident, remember: the jump host’s logs become high-value evidence—protect and forward them immediately.

Practical checklist: deploying or reviewing a jump server

  • Restrict inbound access to known admin networks (or require VPN/conditional access).
  • Enforce MFA and prohibit password-based SSH where feasible.
  • Deny direct admin access to internal servers except from the jump server.
  • Centralize logs (SIEM), alert on unusual login sources/times, and track session starts/stops.
  • Keep it minimal: fewer tools, fewer users, fewer outbound paths.
  • Patch and monitor it as Tier 0/Tier 1 infrastructure (high-value target).

Tooling considerations (optional, but common)

  • VPN for admin connectivity: If admins connect remotely, a reputable VPN can help reduce exposure compared to direct internet-facing management ports. Options include NordVPN Teams-style offerings via Check NordVPN pricing → or Surfshark business options via Try Proton VPN → (choose based on your identity/MFA and device posture requirements).
  • Password manager for privileged workflows: For small teams, storing admin credentials in a dedicated password manager (with MFA, audit trails, and access controls) is often a quick win—1Password is a common choice: Try 1Password →.
  • Endpoint protection on the jump host: Because the jump server is a high-value target, ensure you have strong EDR/antimalware coverage and alerting. Malwarebytes for Teams is one option: Get Malwarebytes →.

A jump server is not “extra friction for admins”—it’s a practical control that makes segmentation workable while improving visibility and accountability for privileged actions.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Bastion host

often used interchangeably with jump server; emphasizes that it’s hardened and exposed (at least to an admin network).

Jump box

informal term; typically implies a GUI-based (often Windows/RDP) administrative host.

PAM (Privileged Access Management)

manages privileged credentials, approvals, session recording; can include jump/broker functionality.

Privileged access / administrative access

elevated permissions used to manage systems (root, Administrator, sudoers).

Network segmentation

dividing networks into zones to reduce blast radius; jump servers commonly sit in a management segment.

RDP Gateway / Remote Desktop Gateway

brokers RDP access (often with MFA and policies), reducing the need to expose RDP directly.

VPN (Virtual Private Network)

extends private network access to remote users; can complement a jump server, but doesn’t replace privileged session auditing.

Zero Trust / ZTNA

authenticates/authorizes per session and per resource; may reduce reliance on traditional jump boxes.

Session recording

capturing administrative sessions (screen/keystrokes/commands) for investigation and compliance.

Just-in-time (JIT) access

temporary privilege grants that expire automatically; often implemented via PAM and enforced at/through the jump layer.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.