Your infrastructure.

Your data.

Your bastion host.​

Ezeelogin is a fully self-hosted bastion host — deployed on your own servers, controlled by your team. Centralized SSH access, session recording, RBAC, and audit logs. No SaaS vendor in the middle.

Trusted for

100% On-Premise Deployment

SSH Session Recording

Full Data Sovereignty

Compliance-Ready Audit Logs

What is a bastion host?

A single hardened gateway between your team and your servers

A bastion host — also called a jump server or jump host — is a dedicated server that sits between your users and your private infrastructure. Instead of giving each user direct SSH access to every server, all connections are routed through the bastion.

This gives you a single point of control: enforce authentication policies, log every session, restrict commands, and revoke access — all from one place, across your entire fleet.

Ezeelogin is a purpose-built bastion host application. Install it once on a Linux server, and you have a complete SSH access control layer with a web GUI, session recording, RBAC, MFA, and audit logs — self-hosted entirely within your own infrastructure.

No cloud dependency. No vendor in the middle of your access layer. Your data stays on your servers.

USERS BASTION HOST YOUR SERVERS Admin / DevOps Full access Support Tech Scoped access Client Own servers only Contractor Time-limited, MFA Ezeelogin Self-hosted bastion host RBAC + MFA Session Recording Audit Logs Instant Revocation Command Guard Web SSH Client Runs on your infrastructure Production AWS · GCP · Bare metal Staging Any Linux server Client servers VPS · Dedicated Internal infra On-premise · Private cloud ✕ No direct SSH access to servers SSH connection (authenticated + MFA) Controlled access (RBAC-filtered, recorded) Server online
Why self-hosted matters

Three reasons teams choose on-premise over SaaS

For teams managing sensitive infrastructure, who controls the software and where data lives is not a minor detail.

01

Your SSH session data shouldn’t live on a vendor’s cloud

Session recordings, access logs, and credential flows contain sensitive information. With SaaS bastion hosts, that data is stored and processed by a third party creating a vendor dependency and potential data exposure risk you didn't consent to.

Ezeelogin stores all session data within your own infrastructure. No data leaves your environment.

02

Compliance frameworks require you to control your own access boundary

ISO 27001, SOC 2, PCI-DSS, and HIPAA all require you to define and control your system boundary. Routing privileged access through a SaaS platform complicates your scope and your auditor will notice.

Self-hosted Ezeelogin keeps privileged access controls within your defined system boundary.

03

SaaS outages become your operational outages

If your bastion host is a SaaS product, your team's ability to SSH into production servers depends on that vendor's uptime. A vendor incident becomes your incident — with no control over resolution time.

Ezeelogin runs on your infrastructure. Your uptime, your HA configuration, your control.

Getting started

Up and running in under 30 minutes

Install on any Linux server. No cloud accounts, no vendor dependencies, no data leaving your environment.

Up and running in under 30 minutes

Install on your server

Run the Ezeelogin installer on any Linux server or VPS. Takes under 10 minutes.

Add your servers

Onboard servers individually or in bulk. Organize by client, region, role, or environment.

Set access rules​

Assign users and groups via RBAC. Restrict commands. Enable MFA. Set IP allowlists.

Every session recorded

All SSH activity is logged, timestamped, and fully auditable from day one.

Features

Everything a self-hosted bastion host needs to work at scale

SSH jump server gateway

All SSH connections tunnel through Ezeelogin. No direct server access. One hardened entry point for your entire infrastructure.

Core feature

Role-based access control

Every session captured and replayable. Searchable by user, server, date, or command. Essential for audit, forensics, and dispute resolution.

RBAC

Full SSH session recording

Every SSH session is recorded with timestamps and detailed audit trails. Easily search and review session activity by user, server, or date to strengthen accountability and resolve client disputes.

Audit

MFA enforcement

Enforce two-factor authentication at the gateway level for all users — Google Authenticator, Duo, YubiKey, Radius or FIDO2 . No bypass paths.

Security

Instant access revocation

Remove a user's access across every server in a single action. No manual key cleanup. Works in seconds regardless of fleet size.

Offboarding

Compliance audit logs

Complete access and privilege logs generated automatically. Structured for PCI-DSS, ISO 27001, SOC 2, and HIPAA auditor requirements.

Compliance

Browser-based SSH access

Web terminal lets users SSH from a browser — no client software required. Ideal for clients or contractors who need controlled access.

Client access

Command Guard (sudo control)

Whitelist or blacklist specific commands per user or group. Prevent destructive or unauthorized actions on servers before they happen.

Command Guard

High availability cluster

Master-slave HA configuration ensures your bastion host stays up. Automatic failover. No single point of failure in your access layer.

HA

SaaS vs. self-hosted

What you give up — and what you gain

Most modern bastion hosts are SaaS products. Here’s what that means in practice versus running Ezeelogin on your own infrastructure.

SaaS bastion host

Access control, managed by someone else

Ezeelogin — self-hosted

Access control, on your infrastructure

How Ezeelogin compares

Ezeelogin vs. other bastion host solutions

From open-source jump server setups to enterprise PAM platforms — here’s how Ezeelogin fits in the landscape.

Capability Ezeelogin Teleport OpenSSH jump host AWS Session Manager
Fully self-hosted, on your serversPartial
Web-based GUI for access managementPartial
Full SSH session recording Partial
Role-based access control (RBAC)ManualVia IAM
Works across any cloud + bare metalAWS only
Instant user revocation (all servers)ManualPartial
Setup time30 minutesHours–daysDIYHours
Pricing modelPer serverEnterpriseFree / DIYAWS costs
Real scenarios

Who runs Ezeelogin as their bastion host

DevOps teams

Centralizing SSH access across a multi-cloud production environment

Teams running workloads across AWS, GCP, and bare metal need a single access control layer that doesn’t depend on any one cloud provider. Ezeelogin acts as the SSH gateway regardless of where servers live — with consistent RBAC, MFA, and session logging across every environment.

Outcome: One access control policy. Full visibility. No cloud lock-in.

MSPs & hosting companies

Managing SSH access across hundreds of client servers

Managed service providers need to give technicians access to client servers without exposing root credentials, and revoke access instantly when staff leave. Ezeelogin handles onboarding, offboarding, and client-facing SSH access through a single gateway — with a full audit trail for every session.

Outcome: Dispute resolved in minutes. Accountability established.​

Compliance-driven teams

Satisfying PCI-DSS, ISO 27001, or SOC 2 privileged access requirements

Auditors require evidence of privileged access controls, session logging, and user activity monitoring. Ezeelogin generates the audit logs, session recordings, and access records these frameworks require — from a self-hosted deployment that sits cleanly within the compliance system boundary.

Outcome: Audit evidence generated automatically. System boundary stays clean.

Enterprise IT

Replacing ad-hoc SSH key management with a governed access layer

Organizations relying on shared SSH keys or per-user key distribution have no reliable way to revoke access, audit sessions, or enforce MFA. Ezeelogin replaces this with a governed bastion — deployed on-premise, controlled by the IT team, with no vendor in the access path.

Outcome: Shared keys eliminated. Access governed. Full audit trail established.

Compliance

Designed for the access controls auditors actually check

Ezeelogin’s centralized SSH gateway, RBAC, MFA, session recording, and audit logs map directly to privileged access management requirements across the most common compliance frameworks. Self-hosted deployment keeps your system boundary clean.

PCI-DSS

ISO 27001

SOC 2

HIPAA

NIST

GDPR

SOX

FedRAMP

Common questions

Questions about self-hosted bastion hosts

Ezeelogin installs on any standard Linux server running RHEL, Ubuntu, or Debian. A 2-core, 2GB RAM VPS is sufficient for most teams. For larger deployments or high availability, we recommend dedicated hardware or a larger instance. Full requirements are in the installation guide.

Yes. Ezeelogin is cloud-agnostic. Any Linux server you can SSH into — whether on AWS, GCP, Azure, DigitalOcean, Hetzner, or bare metal — can be added to Ezeelogin. There is no cloud provider dependency.

A raw OpenSSH jump host gives you a network relay — nothing more. You still manage keys manually, have no session recording, no GUI, no RBAC, and no instant revocation. Ezeelogin builds the full access management layer on top: web-based management console, group-based RBAC, MFA enforcement, full session recording, audit logs, and single-action user revocation.

Ezeelogin supports a master-slave HA cluster configuration, allowing the secondary node to be promoted as the master during a primary node failure.

No. Ezeelogin is completely self-hosted. Session recordings, audit logs, access records, and all configuration data are stored entirely within your infrastructure. License validation is the only external communication, and it does not transmit session or user data.

Simple, server-based pricing. Your subscription is based on the number of servers added to the gateway, allowing you to scale your infrastructure without being limited by the number of users accessing the system.

 See full pricing →

Most teams complete installation in under 30 minutes. Adding servers and configuring your first user groups typically takes another 30–60 minutes. A free screen-share onboarding session is available if you want guided setup support.

Deploy your own bastion host today

Self-hosted. Up in 30 minutes. 30-day free trial, no credit card required.
Trusted by hosting companies managing millions of servers since 2009.