All systems operational · 99.99% uptime SLA
Console Support Docs Blog Contact →
Bastion Host — Cloud Audit System · MFA · Session Replay · Command Control · Access Policy

Every admin
session. Controlled.
Recorded. Audited.

NubexCloud Bastion Host is the single gateway through which all operator access to your cloud infrastructure flows. No one connects directly to a server again. Every session is authenticated, policy-checked, recorded, and available for replay. Who accessed what, when, and exactly what they did — always on record.

Get Started → How It Works
10+Protocols
100%Session recorded
MFAMulti-factor auth
ZeroDirect access
Operators Bastion Host Protected Resources 👨‍💼 System Admin admin@corp.com 👨‍💻 Developer dev@corp.com 🕵️ Unknown user ext.vendor 🗄 Database Admin dba@corp.com BASTION HOST 🔐 MFA Verification SMS · Token · Google Auth AD · RADIUS · Local ⚡ Access Policy User + Resource + Time Command control 📹 Session Recording 100% accuracy · video Replay available BLOCKED · ext.vendor 🐧 Linux Servers SSH · Authorized ✓ 🖥 Windows Servers RDP · Authorized ✓ 🗄 Databases MySQL · Authorized ✓ 🔒 No direct access All routes via Bastion Single gateway All sessions live Zero direct server access
10+
Supported protocols
SSH · RDP · VNC · Telnet · FTP · MySQL
100%
Sessions recorded
100% command accuracy · video replay
Zero
Direct server access
All traffic through single gateway
MFA
Multi-factor auth
SMS · Token · Google Auth · AD
The Problem

Direct server access is ungovernable. It leaves no trace.

When developers and admins connect directly to servers, every session is invisible. No record of what commands ran, what files were accessed, what database queries were executed. If something goes wrong — a data leak, a misconfiguration, a ransomware deployment — there is no audit trail to investigate.

Without Bastion Host

Chaos. Invisibility. Risk.

Anyone with credentials connects directly to servers — no centralized control
No record of what commands were run, what files were changed, what data was accessed
Server passwords distributed to multiple people — can't rotate without disruption
No ability to restrict which commands a contractor can run on a production server
Compliance audit fails — no evidence of access controls or activity monitoring
When an incident happens: no log, no replay, no accountability
With NubexCloud Bastion Host

Control. Visibility. Compliance.

All access routes through a single authenticated gateway — centralized policy enforcement
Every session recorded — commands, file transfers, database queries — with video replay
Operators never see server passwords — Bastion handles credentials automatically
Command-level control — restrict what a contractor can execute on production, with alerts
Full audit trail satisfies compliance requirements — MLPS, ISO 27001, SOC 2
When an incident happens: full session replay, exact commands, user identity — always
🔐
Single
Entry point
Eliminate direct server access permanently. Every operator authenticates through the Bastion Host first — regardless of protocol or target system.
📹
Full
Session replay
Every session is video-recorded and available for replay. Review exactly what commands ran, what files were transferred, and what changes were made — any time.
Cmd
-level control
Define exactly which commands each user can run — allow, deny, alarm, or require second-person approval — per user, per resource, per time window.
🤝
2FA
Two-person approval
For critical operations on core infrastructure, require a second administrator to approve before the session proceeds. Enforce four-eyes principle on production.
How It Works

Every session through five verified stages.

No request reaches a server without passing all five stages. Each stage adds a layer of control and leaves an audit record. No stage can be skipped — and the entire journey is recorded.

Step 1
Identity
Operator authenticates
MFA required — SMS code, TOTP token, Google Auth, or mobile token. AD/RADIUS enterprise SSO supported. IP and MAC whitelist enforced.
Step 2
Policy
Access policy checked
Access policy validated against user, resource, account, time window, and IP. Work order required if no standing permission. Denied access logged.
Step 3
Session
Session starts + recorded
Session begins. All keystrokes, commands, file transfers, and screen activity are recorded in real time. Bastion Host connects to server using stored credential — operator never sees the password.
Step 4
Command
Commands checked live
Every command matched against command control policy in real time. Restricted commands: denied instantly. Alarm commands: execute but alert. Critical commands: require second-person approval.
Step 5
Audit
Full audit available
Session ends. Complete audit log and video replay available immediately. Export for compliance. Per-department audit access controls — auditors only see sessions within their scope.
Core Capabilities

Four capabilities that define enterprise-grade access control.

01
Full session recording

Every session, available for replay.

Every SSH, RDP, VNC, and database session is recorded with 100% command accuracy. Video replay shows exactly what the operator saw on their screen. You can scrub to any moment, see every keystroke, and review file transfers — weeks or months later.

100% command accuracy — SSH, Telnet, FTP, SFTP
Video replay for RDP and VNC sessions
Export session logs for compliance evidence
Session Replay — admin@prod-db-01 · 14:32 · 8 min 14s $ sudo su - root@prod-db-01:~# systemctl status mysql mysql.service - MySQL Server Active: active (running) since... root@prod-db-01:~# mysql -u root -p Enter password: •••••••• mysql> SELECT * FROM users LIMIT 5; 04:22 08:14 ● Recording complete · admin · 4 commands flagged
Command control policy — dev-team git pull · git push · npm install ✓ ALLOW sudo systemctl restart * ⚡ ALARM rm -rf / · dd if= ✗ DENY DROP TABLE · DELETE FROM 👥 2-PERSON crontab -e · at ⚡ ALARM Command blocked in real time: dev01: rm -rf /var/www → DENIED · Policy #4
02
Command-level control

Define exactly what each person can do.

Command control policies apply at the character level to SSH and Telnet sessions. Define rules per user, per resource, per time window. Commands can be allowed, denied, set to alarm, or trigger double-person authorization before executing.

Allow / Deny / Alarm / Dynamic authorization per command
Regular expressions and wildcards for command matching
Blocked commands logged with user identity and timestamp
03
Credential vaulting

Nobody knows the server password.

Operators log into the Bastion Host using their personal credentials. The Bastion Host then connects to the target server using the stored credential — invisible to the operator. Server passwords are managed by the Bastion Host's automated change plan: rotated on schedule, vaulted securely, no human ever reads them.

Automated password change plan — rotate on schedule
Strong random password generation — per policy configuration
Department-level password management — keepers per department
Credential vaulting flow 👤 Operator own password Bastion Host Vault · Credential 🖥 Srv Sees: own login only Stores: server password Protected Automated password rotation Every 30 days → new strong password → vaulted No human reads the password — ever
Protocol Support

Every protocol your infrastructure uses — supported.

Bastion Host doesn't require you to change how your infrastructure works. It proxies every protocol transparently — the tools your team already uses continue to work exactly the same way, just through the Bastion gateway.

🐧
SSH
Full SSH proxying for Linux hosts. Supports SSH key authentication, session collaboration, command control, and character-by-character recording.
🖥
RDP
Windows Remote Desktop through the Bastion. Video session replay, clipboard control, file management control — all configurable per user policy.
🖱
VNC
VNC session proxying for graphical Linux and virtual machine access. Full session recording with video replay capability.
📡
Telnet
Legacy Telnet protocol for network devices and older infrastructure. Command recording and access control applied identically to SSH.
📁
FTP / SFTP
File transfer auditing — every upload and download recorded. Compatible with FlashFXP, FileZilla, WinSCP, and xftp. File management control per policy.
🗄
MySQL
Database session proxying for MySQL with full query recording. Application publishing extends support to SQL Server and Oracle.
🌐
Web browser (HTML5)
Browser-based access to SSH, RDP, Telnet, VNC — no client installation needed. Works from any OS: Windows, macOS, Linux.
⚙️
Network devices
Built-in support for H3C, Huawei, Cisco device types. Supports regular account to root/enable privilege escalation for SSH and Telnet.
Compliance & Use Cases

Access governance is mandatory. Bastion Host makes it operational.

Regulatory frameworks across finance, healthcare, and government require documented evidence of access control, privileged session monitoring, and audit trails. Bastion Host delivers this as a running system — not a point-in-time compliance checklist.

💳
Finance · Banking · Payments
Payment card and banking regulations require privileged access monitoring — and they audit it.
PCI DSS requires logging and monitoring of all access to system components containing cardholder data. A DBA connecting to a payment database without a session audit trail is a compliance failure — and a security risk. Bastion Host satisfies the privileged access monitoring requirement automatically: every database query logged, every session replayable, access policies enforceable to the command level.
PCI DSS Req 10 ISO 27001 Privileged session recording
🏛
Government · Critical infrastructure
MLPS and classification protection mandate continuous privileged access monitoring at every tier.
Multi-Level Protection Scheme (MLPS) requirements at Tier 3 and above specify privileged user access management, operation auditing, and the ability to replay specific sessions on demand. Bastion Host's department-based management model maps directly to government organisational hierarchies — audit administrators for each department see only sessions within their scope.
MLPS Tier 3+ Department audit separation
🏥
Healthcare · Clinical systems · EMR
Clinical system access by IT staff must be logged, time-controlled, and revocable instantly.
Healthcare IT teams regularly access EMR database servers, imaging systems, and clinical applications for maintenance. Under HIPAA and regional equivalents, every access to systems containing patient data must be auditable. Bastion Host's time-limited access control means a vendor can be granted a two-hour maintenance window — and that window closes automatically, with a full replay of everything done.
HIPAA access audit Time-limited vendor sessions
⚙️
SaaS · DevOps · Multi-team infrastructure
Contractors and third-party vendors need limited server access. Not full server access.
DevOps teams give vendors temporary SSH access to diagnose issues — then forget to revoke it. A developer leaves and still has SSH access to production servers because rotating passwords is painful. Bastion Host solves both: vendor access expires automatically at the end of a work order, and revoking a user's access is a single console action with no password rotation needed anywhere.
Work order access Instant revocation
Customer Stories

Controlled. Recorded. Proven.

0
uncontrolled access events after deployment
Finance · 400+ servers · UAE · PCI DSS audit
We had an external PCI DSS audit six weeks after deploying Bastion Host. The auditors asked for evidence of privileged access monitoring on our payment processing servers. We gave them a live demo of session replay — they asked how far back the records went. We said unlimited. That was the end of that finding.
Head of Information Security · Regional bank · Dubai
3h
to replay a session and identify the misconfiguration source
SaaS · 80 engineers · KSA · Incident response
A production database was misconfigured and caused an outage affecting 12,000 users. Without Bastion Host this would have been a three-day investigation. With it, we found the exact session, played back the commands, identified the engineer and the specific config change that caused the issue — in three hours. Corrected, documented, communicated to customers. Same day.
VP Engineering · B2B SaaS platform · Riyadh
100%
vendor sessions audited with time-limited work orders
Healthcare · Clinical IT · Egypt · Vendor management
We have twelve different third-party vendors who maintain different systems in our clinical environment. Previously each one had standing SSH credentials — some of them going back years. Bastion Host replaced all of it with work-order access: vendor requests access for a specific window, gets a time-limited session, we watch in real time, replay it afterward. No standing credentials anywhere.
IT Director · Private hospital group · Cairo
Trusted by teams across the region
Falcon AITradeSparkMasaarNEXAGENSalam DigitalOrbita
Global Network

A truly global infrastructure for fast, reliable service delivery.

26
Regions
33
Availability Zones
25ms
Regional latency
99.95%
SLA uptime
Active region
Hub region (Dubai HQ)
Backbone link
FAQ

Common questions about Bastion Host

The gateway between your operators and your infrastructure

No direct access.
Every session.
On record.

SSH, RDP, database, file transfer — all through a single authenticated gateway. MFA enforced. Commands controlled. Sessions recorded and replayable. Compliance documented automatically.

Get Started → Read the Docs
10+
Protocols
100%
Recorded
MFA
Required
2-Person
Auth
Zero
Direct access