Never mind telnetd. Tier 1 transit providers doing port filtering is EXTREMELY alarming. They have partitioned the Internet, and in a way that automatic routing (BGP) can't get around.
> Tier 1 transit providers doing port filtering is EXTREMELY alarming.<p>I was admining a small ISP when blaster and its variants hit. Port filtering 139 and the rest was the easiest way to deal with it, and almost over night most of the ISPs blocked it, and we were better for it. There was a time when if you'd put a fresh XP install on the Internet you'd get 5-10 minutes until it would get restarted.<p>I guess if you're really an admin that <i>needs</i> telnet, you can move it to another port and go around it? Surely you'd tunnel that "old box that needs to stay alive" if that's the usecase? Is there anyone seriously running default telnet on 23 and is really affected by this filtering?
Lots of text games - MUDs - still play over telnet using dedicated MUD clients that implement their own telnet stack. Outright blocking the port has an outsized side efffe on them, this is simply not right.
Hosted roguelikes have been using ssh for at least 15 years. It's probably time for MUD folks to consider this.
If MUDs and other games were indeed using port 23/tcp for player access, they were not only incorrect but rather dangerous.<p>Since 23/tcp is a well-known IANA-registered port for the Telnet service, it is an RFC violation to use it for a service that is not telnetd/remote logins via TELNET protocol.<p>Any port below 1024 signifies that it is a "privileged port". This is an archaic distinction that developed in high-trust R&E networks, but it did signify that the listener on the port had administrative/root access to spawn a service there, so it was kind of a signal that you could "trust" the remote server with your login credentials.<p>The privileged ports were also priority, because if the unprivileged ones were "first come, first served" for unprivileged users, the administrator would have the ability to enforce the uniqueness of "privileged ports", and disable or kill any process that shouldn't be using one. A MUD Wizard who finds their port in-use (bound) on start is on their own.<p>Typically there were no MUDs running with, or needing, root privileges. They were run under user accounts, or specific unprivileged role accounts. They had no need of a privileged port, and many were clandestine or unauthorized, and forced to use a higher port number. That's why the 4-digit ports became so popular.<p>Anyway, the custom has already developed of blocking port 23 to protect users from unwittingly opening a management or login interface. Most shrewd admins would choose a port that isn't routinely blocked and filtered... and port-scanned.<p>If your favorite MUD runs on port 23 today, such as nethack or something, then I am glad for this change, which will force the administrator to select a unique port that does not imply privilege, TELNET protocol, or shell login credentials. It is totally RFC-compliant to select an unassigned port above 1023, and MUD conventions have popularized several numbers that are still recognizable to players today.
<i>> Any port below 1024 signifies that it is a "privileged port". This is an archaic distinction that developed in high-trust R&E networks, but it did signify that the listener on the port had administrative/root access to spawn a service there, so it was kind of a signal that you could "trust" the remote server with your login credentials.</i><p>If something is running on a privileged port is not enough to trust it. Firstly you need to trust to a host, you need to know where are you connecting to. If you connect to a random host with a privileged port and pass it your credentials you are doing stupid things.<p>This thing with privileged ports is protecting you from users who could run arbitrary code on a server. From them and not from anyone else. So for MUD there is a lot of reasons to run on 23 port, it is a signal for users of MUD that they are connecting to a process hat was started by the owner of the machine having the root.<p><i>> If your favorite MUD runs on port 23 today, such as nethack or something, then I am glad for this change, which will force the administrator to select a unique port that does not imply privilege, TELNET protocol, or shell login credentials. It is totally RFC-compliant to select an unassigned port above 1023, and MUD conventions have popularized several numbers that are still recognizable to players today.</i><p>If I was running a MUD, I would find some way to get around. I could use 22 for example, though it could cause me problems with logging in with ssh. But it is not an issue really, there are 1k privileged ports, I could choose one from them.
You have contradicted yourself within your comment. Either a "privileged port" can be trusted or it cannot.<p>As I implied in my previous comment, "privileged ports" are no longer a signal of trust on Internet hosts. Literally anyone could have administrator access to a host. The MUD could be running on a Raspberry Pi in a guy's basement. A telnetd server could be on port 23 of a personal router. You could telnet into a print server, a washing machine, or a microwave oven.<p>In a world where devices are cheap, personal, and accessible, anyone could be an administrator of anything.<p>You say "privileged ports ... protect you from users who could run arbitrary code" which makes no sense, man! Unprivileged users can always run arbitrary code unless they can't! Administrators must be able to run arbitrary code! Why should you be protected from that? If someone <i>cannot</i> run arbitrary code then chances are that they <i>cannot</i> bind a "privileged port" so is that what you meant?<p>Again, why does a MUD need a privileged port? Why? No reason. The vast majority of "privileged ports" are occupied and assigned. You do not want to use them. You have <i>no reason</i> to use unassigned, privileged ports for a MUD. It is not a question of "trust" or "arbitrary code" or authenticated users -- it's just a dumb game with no effects on the OS or host system, man! It's a virtual system!<p>I am afraid that MUD gaming has messed with people's minds more than social media. I myself was psychologically damaged by it. I urge you to seek help, before anyone else posts incoherent comments in this thread today.
They're remote terminal applications? Remote interactive text sessions. Over TELetype NETworking?<p>You're saying that connecting my tty (emulator), to a remote host is not the purpose of telnet?<p><backs away slowly><p>Though ... I suppose by now a switch to port 22 could make sense.
No. MUDs should never have adopted port 23 or port 22 or any pre-assigned ports. There is no "well-known port assignment" from IANA for MUD-type games or servers.<p>The end of RFC854, the very last paragraph, states:<p><a href="https://datatracker.ietf.org/doc/html/rfc854" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc854</a><p><pre><code> Port Assignment
When used for remote user access to service hosts (i.e., remote
terminal access) this protocol is assigned server port 23
(27 octal). That is L=23.
</code></pre>
I would say that by the letter of the law, and by longstanding convention, that port 23/tcp is given to telnetd type login servers. A server listening on port 23 is expected to accept login credentials and furnish a shell or some management interface that affects the host itself. That someone would log in as a terminal user and perform computing tasks.<p>A MUD game could never be confused with managing the server where it runs, or a user/admin login to access that operating system. A MUD game has a specific purpose of recreation/leisure/communication.<p>Again, let us not conflate port 23 with telnetd with the TELNET protocol. These are all completely separate and distinct. Except that port 23/tcp implies TELNET protocol and also implies a telnetd-type server. It is sort of a one-way chain of requirement. telnetd could be run on any port (inadvisable) while TELNET protocol could be implemented by any other service (often preferable).<p>A MUD server is perfectly entitled to use TELNET protocol! In my server-hacking days, I often considered it a mistake and error not to support TELNET protocol! If I had known how to implement it, I would've added it to TinyMUCK myself! Honestly, it was not a priority because there was no known client supporting TELNET, either. Of course, protocol support needs to be on both ends to be effective. Without demand or capability from clients, it didn't really make sense for server programmers to add it in.<p>But we were perfectly content to stay on port 2283, port 4201, or port 6250, as our players and Wizards had established the games to run there, especially in those days we wished to escape notice by admins. The TELNET protocol can run on any port and support any "network virtual terminal" service. But the "telnet port" on 23 is special, unique, and as of last month, really inadvisable for everyone.
I don't understand how playing a MUD doesn't fit the definition of "remote user access to service hosts".
> by longstanding convention, that port 23/tcp is given to telnetd type login servers<p>First thing I ever telnetted to was Melvyl, University of California's library catalogue, around 1985. This was “remote user access” (I was a remote user) to “service hosts” (running the catalogue) providing “remote terminal access”. It was not a login.
I remember using MELVYL too, and you're completely right about that.<p>I would suggest that MELVYL on port 23/tcp was also unnecessarily impinging on the IETF standards. MELVYL could have easily established its own well-known port with the IANA and not conflicted with the TELNET login port.<p>Before the WWW, there were a multiplicity of search services and indexes. Remember Archie, WAIS, and Gopher? Apparently, WAIS was assigned port 210/tcp, but Archie apparently used TELNET on 23/tcp as well.<p>I think some of the pioneering Internet services were perceived as not requiring a dedicated port. If MELVYL was the only service running on the mainframe and it wasn't running a Unix telnetd, then why not usurp 23/tcp? The admins there probably perceived it as a virtual "octopus cable" connecting remote "terminal labs", and for sure they had alternate methods of access for OS servicing and configuration purposes. In the beginning of MELVYL they were undecided about which protocol would prevail, and TCP/IP was competing with others, so port numbers may have been afterthoughts for the architects.<p>The most important thing may have been the principle of not surprising users or confusing them with parameters. "telnetting to a host" was way easier without trying to specify that they needed a port number. Just ask any Unix admin where MUD users try to bang on their telnetd port trying to play the game...
Boy, wait until I tell you what happened with http!
Exactly the same thing? Are you taunting me with some kind of ignorance? Again, you've introduced ambiguity and we can't tell if you are referring to a protocol, or a port.<p>https has the special property of working on any port and didn't need to switch to 443. You could run https servers on port 80. Both of them are considered "privileged".<p>Plenty of http and https servers alike on unprivileged ports too. Ports 80 and 443 were more about exclusivity and well-known assignments, than trust.<p>The unique thing about HTTP the protocol is that it came to be implemented by practically everything, as in REST and web apps. It's an Internet <i>lingua franca</i>.<p>TELNET protocol was severely neglected, which is why I was surprised that MUDs kept it alive!<p>To sibling: A MUD character is not a user. A user is a user who logs into user accounts, e.g. shells. You could read it as "a host providing a service" to someone, I suppose, but again, in longstanding practice, 23/tcp was reserved to telnetd and other management/shell logins, not some kind of generic "interactive NVT anything goes" service. "Remote terminal access" was understood universally as like a console, or tty, that would invariably present a shell login, not Zork or Colossal Cave!
You mean something like this?<p><pre><code> mudplayer:x:1001:1001:MUD Player:/home/mudplayer:/usr/games/adventure</code></pre>
[flagged]
Their replies are only obtuse because you fail to see that you’re being made fun of for having such a ridiculous pedantic position about this. “Terminal” does not mean shell when you read the Telnet RFC. It means TTY. A human to machine interface. MUDs implement the Telnet protocol and provide a remote TTY. What’s running on the terminal is absolutely irrelevant.
It is not pedantic and many respondents are simply obstinately conflating the tcp port with the protocol and with the server software. You have done the same thing. Did you not read my statement where I said it is perfectly fine and even preferable for MUDs to implement TELNET? Where did I ever oppose the implementation of TELNET protocol?<p>Yes, when the TELNET protocol is in use, the applications are irrelevant to the underlying substrate of an NVT. But when port 23 is in use, everything changes. That is my point. And there seems to be a brigade of mudders who are butthurt about losing their pet TCP port in this. They cannot mock me because they are wrong. Their wizards chose poorly decades ago.<p><backs away slowly><p><realizes HN is not a MUD><p><stops emoting like you're a monster uWu>
> Your MUD wizards made a bad, bad choice long ago when they picked port 23.<p>I'm confused. I refer you to my previous answer. Which does not specify a port, nor does it need to.<p>:x: can be a PAM database?<p>It's ... how I'd do it. You get a lot for free.
Yes, and sftp and scp should not operate on port 22 because that isn't proper, interactive SSH!
> it is an RFC violation<p>I hate to break it to you, but RFC violations power the internet.<p>Also, RFCs are non-binding and the IANA port numbers are just strongly suggested.
I run a PDP-10 during the colder parts of the year. It's for historical preservation reasons. There are others doing the same thing. We still offer telnet access because that's how it worked back then. I guess we aren't going to be doing that anymore.
The GP's concern isn't a practical one, it's ultimately about net neutrality. It's not the ISP's job to discriminate against traffic—it's their job to deliver it.<p>This may seem like a good idea, and frankly is likely a net-positive thing, but it is literally the definition of "ISP decides what apps its customers can and cannot use."<p>I share the concern and don't really like it either.
It's not a net-neutrality issue because they're not banking on any alternative.<p>Net-neutrality law doesn't work like that. Service providers still get to filter stuff.<p>What's illegal for an ISP is e.g. to give VoIP services other than their own a lower priority. That would tie in customers to use their own service and they could even charge more for it. Net neutrality means a level playing field for services on the Internet.<p>If you ask your ISP to do filtering, that's perfectly legal. If they filter specific traffic for the purpose of maintaining service, that's okay too.<p>Now if there was no alternative and they'd try to sell their product by blocking telnet, they could be sued.
There is some merit to the end user ISPs doing that - for example one I used before filtered SMTP traffic (and iirc some other) to the client unless you opted out from it.<p>Which was mildly annoying workaround for the power users (disabling it was just changing the ppp login), but stopped a lot of accidentally open open relays and a lot of other cruft
Changes like these lend even more credibility to the approach of putting everything on port 443 over TLS, and distinguishing protocols based on hostname / HTTP path.
Wireguard over 443/udp is also a neat trick. No need to make it look like quic although I wouldn't be surprised if someone takes the effort to make it that stealthy.
If everything was on port 443 why would we even need ports.<p>The ports are there for a reason, it is idiotic to serve everything over http as you would need a mechanism to distinguish the different flows of traffic anyhow.
Preventing the traffic from being distinguished is the whole premise. Port 23 gets blocked because everyone uses it for telnet, and everyone expects bad actors to know that. If everything moves to 433, we'll end up with a variety of routing systems and no focal point for attack. The only alternative is to disallow port filtering in core internet infrastructure.<p>We can either have a standard and accept that bad actors will use it against us, or we can accept the chaos that results from abandoning it.
I do not know what is more critical: the risk of censorship or stand by while hospitals, banking, nuclear power plants and other systems become compromised and go down with people dying because of it. These decision makers not only have powers but also have a responsibility
Have you ever seen a hospital, a bank, a power plan to expose telnetd to the public internet in the last 20 years? It should be extremely rare and should be addressed by company’s IT not by ISPs.
These are the institutions I would most expect to do that.<p>Well, maybe not a bank.
Probably Tier 1 providers have some insight on this.
This feels more akin to discovering an alarming weakness in the concrete used to build those hospitals, banks and nuclear power plants – and society responding by grounding all flights to make sure people can't get to, and thus overstress, the floors of those hospitals, banks and nuclear power plants.
In the UK we have in fact discovered an alarming weakness in the concrete used to build schools, hospitals and other public building (in one case, the roof of a primary school collapsed without warning). The response was basically "Everybody out now".<p><a href="https://en.wikipedia.org/wiki/2023_United_Kingdom_reinforced_autoclaved_aerated_concrete_crisis" rel="nofollow">https://en.wikipedia.org/wiki/2023_United_Kingdom_reinforced...</a><p><a href="https://www.theconstructionindex.co.uk/news/view/raac-crisis-escalates-as-more-than-100-schools-told-to-get-out-now" rel="nofollow">https://www.theconstructionindex.co.uk/news/view/raac-crisis...</a><p><a href="https://www.theguardian.com/education/2023/aug/31/what-is-raac-reinforced-autoclaved-aerated-concrete-schools-buildings-england-close" rel="nofollow">https://www.theguardian.com/education/2023/aug/31/what-is-ra...</a>
You feel it's similar because having access to port 23 is similarly life critical as having access to an hospital? Or is it because like with ports, when people can't flight to an hospital, they have 65000 other alternative options?
nah, that's like seeing an open gate to nuclear tank - a thing easily fixed within few minutes - and responding to it by removing every road in existence that can bear cars
Censorship is one of these words that get slapped on anything.<p>Filtering one port is not censorship. Not even close.
> censorship, the suppression or removal of writing, artistic work, etc. that are considered obscene, politically unacceptable, or a threat to security<p>It is not the responsibility of the Tier 1 or the ISP to configure your server securely, it is their responsibility to deliver the message. Therefore it is an overreach to block it because you might be insecure. What is next. They block the traffic to your website because you run PHP?<p>Similar to how the mailman is obligated to deliver your letter at address 13 even though he personally might be very superstitious and believe by delivering the mail to that address bad things will happen.
Port 23 has been filtered by most providers for decades.<p>This is why everything converges on using TLS over 443 or a high port number. I don't see this as a huge deal, and <i>especially</i> not one deserving all caps rants about censorship. Save those for things like FOSTA/SESTA.
So basically the same as censorship because that is the exact same thing blocking ports does.
I can connect with the GNU telnet client via the Spectrum ISP to servers in both Seattle and the Netherlands.
not to mention, filtering on udp vs tcp, which makes using anything else impossible. Not that I have one, but it's just a bit in a field, why filter on it?
What an amazing bug. I probably spent my first 10 years on the internet just using telnet. They were wild times. You could log ethernet traffic and see passwords. Towards the end of those we started to have a few more single-user machines, but the vast majority were old school many many user machines, where "root" was thought to be tightly restricted (of course, even then, in practice it wasn't if you were in the know).<p>Anyway, just wild seeing this:<p>> telnet -l 'root -f' server.test<p>or<p>> USER='-f root' telnet -a server.test<p>Survive 11 years.
The more I work in software, the more amazed I am that anything works at all. There's likely so much low hanging fruit out there
I never sent root over telnet, but I spent too much vacation time browsing the web via lynx on my school AIX account from a library near my parents' home, because it had a telnet client in addition to the card catalogue program on the otherwise locked down desktop. It was just a more innocent time: you didn't assume your traffic was being logged six ways to Sunday. With telnet access to my AIX account, I could do all the internet things, like mail (pine) and the web (lynx) and irc, from a convenient command line anywhere in the world.
When did we all stop using telnet? I can't even remember. Most of my first 10-15 years was using telnet. One day I used telnet to connect to a shell for the last time and didn't know it. I had a ton of servers all with root telnet access Internet facing. Never hacked once, somehow. Those were the days.
In the Linux / BSD world, SSH took off incredibly fast for the time. I'd estimate that maybe 80% of people had moved to it within the first year of its release.<p>But adoption stalled when the original SSH moved to a commercial license in 1996-ish - many of us stuck with the last free version, but vulnerabilities started to pile up. There were various half-working alternatives, but it wasn't until OpenSSH came out in 1999 that the remaining telnet holdouts started to move across.
I worked for an ISP in the mid-90s and had been on the Internet since 1989 or so. I recall the progression for me was something like this:<p>We used telnet in college no problem. It was a fairly well-accepted method of remote access. The heterogeneous network had many different modes, but a major dialup point was the Annex box, which supported telnet into the Unix or VMS machines.<p>Between Unix machines, we would often prefer "rlogin" instead. There were several horrific iterations of other remote-access protocols such as "remsh". rlogin was notorious for its "/etc/hosts.equiv" authorization method which trusted DNS and should've been perceived as Swiss Cheese from the outset. rlogin was, IIRC, directly related to rsh and rcp and used the same frameworks. rlogin was no more secure than telnet, but probably less secure because of its conveniences.<p>We also used port 23/tcp for remote management, for example Cisco routers. They weren't running telnetd, but it was the port where you connected remotely and logged in with or without credentials.<p>rlogin persisted alongside telnet, until encryption came into fashion and ssh was distributed. Once ssh was available and working well, everyone knew that telnetd and rlogind were on borrowed time. The services were shut down and disabled in inetd. The ports were sometimes blocked. Security advisories went out.<p>I suppose it took a long, long time for ssh to finally dominate, and for people to abandon telnetd mostly, but it was fairly thorough. We all recognized the superiority of sshd's authentication and encrypted channels.<p>There were mitigations for people to extend their legacy use of telnetd and rlogind. For example, tcp wrappers and fail2ban could be implemented. Firewall filters could select only authorized networks. VPNs could tunnel through an Intranet that still used them. So, the services lived on wherever they didn't need to be exposed on the public Internet. But I think most Unix admins got the picture by the end of the dot-com bubble.
It's hilarious, especially given that I have memories of similar rlogin vulnerabilities -- various unixes being vulnerable to rlogin -l '-froot' in the 90s.
Never used telnet to log in to something but it is a cool debugging tool, so used it for that. E.g. can this container even send traffic to that container at all.
So Telnet as a client is not dead though, right? A long time ago, I used to use the Telnet client to talk to SMTP servers (on port 25) and send spoofed emails to friends for fun.<p>With port blocking widening in scope, I’ve long believed that we would one day have every service and protocol listening on port 443. Since all other ports are being knocked off in the name of security, we’ll end up having one port that makes port based filtering useless.
netcat, socat and openssl s_client are all available for general manual connection testing.<p>As are many other tools. But the ones above are basically far better direct telnet alternatives.
I've never really understood why it's a thing to use a telnet client for transmitting text on a socket for purposes other than telnet. My understanding is that telnet is a proper protocol with escape sequences/etc, and even that HTTP/SMTP/etc require things like \r\n for line breaks. Are these protocols just... close enough that it's not a problem in practice for text data?
Because for a long time, on most computers, the telnet client was the closest thing to an "open a tcp socket to this ip/port and connect the i/o from it to stdin/stdout" application you can get without installing something or coding it up yourself.<p>These days we have netcat/socat and others, but they're not reliably installed, while telnet used to be generally available because telnetting to another machine was more common.<p>These days, the answer would be to use a netcat variant. In the past, telnet was the best we could be confident would be there.
In corporate environments, netcat was often banned as it was seen as a "hacking" tool. Having it installed would sometimes get the attention of the security folks, depending how tightly they controlled things.
You don't even need netcat or socat for that, probing /dev/tcp/<host>/<port> from the shell is enough.
That's some gnu bash shenanigans. There is no /dev/tcp in unix<p>Lots of shops didn't have gnu installed: telnet was what we had.
Telnet was available in the 90s. I reckon /dev/tcp is way more recent. GP did say a long time ago.
Same reason that people use vi. It's always there.
The telnet protocol with escapes, etc. is only used by the telnet client if you’re connecting to the telnet port. If you’re connecting to HTTP, SMTP or something else, the telnet protocol is not enabled.
Because it's there.
In the days of yore, Windows had telnet installed. Most hackers used telnet in the 90's and early 2000's.
If it's alright to be pedantic, anyone with programming knowledge can do the same without these tools. What these offer is tried and tested secure code for client side needs, clear options and you don't need to hand roll code for.
You can program without tools? I want to see that. Do you still have switches to alter RAM content, or do you use the butterfly method?
who's hand rolling code anymore these days though?
I don’t remember how I did it but when I was about 12 years old I somehow managed to send SMS from Telnet to cell phones, and to the receiver they appeared to be sent by an official Telecom account - good that I was still an innocent child, had I discovered this a few years later I may have tried doing something nefarious with it.
None of this affects the use of telnet the client program nor the ability to run a telnetd on your own host (but do be sure it's patched!).<p>What's happened is that <i>global</i> routing on the internet (or big chunks of it, it's not really clear) has started blocking telnet's default port to protect presumably-unpatched/unpatchable dinosaur systems from automated attack. So you can no longer (probably) rely on getting to a SMTP server to deliver that spoofed email unless you can do it from its own local environment.
> <i>started blocking telnet's default port</i><p>But that's 23 and smtp is 25.
You would still be able to use the telnet client to connect to an SMTP server on TCP port 25, just not port 23, right? I don't think that part changed here.
It should be possible to get a better idea where the filtering happens with a tool like tcptraceroute (possibly patched to use other segments beyond the default TCP SYN).<p>I haven't found evidence of extremely widespread filtering. Why would there be? The installation count is not <i>that</i> high. The potential side effects from uncoordinated port filtering could be quite severe. This isn't netkit's telnetd or Busybox. (I'm aware of Debian switching defaults, but that was fairly recently.)
Why are people still using telnet across the internet in this century?
Was this _all_ attack traffic?<p>(OK, I know one ancient talker that uses it - but on a very non-standard port so a port 23 block wouldn't be relevant)
To watch Star Wars in ASCII.<p>telnet towel.blinkenlights.nl
<a href="https://www.youtube.com/watch?v=Mhcf6tc2jeQ" rel="nofollow">https://www.youtube.com/watch?v=Mhcf6tc2jeQ</a><p>(Remember hearing about this a long time ago (from some searching I think it was in 1999 via Slashdot) and verified some instance of it still exists/works.)
<p><pre><code> Connection failed
</code></pre>
Maybe we should give the kind person who hosts it a break. Try it out tomorrow. (Yes, I should have thought of that before I tried.)
~~IIRC the blinkenlights telnet movies have been offline for a few years already.~~
Telnet is used in legacy, IoT, embedded, and low-level industrial hardware. It's also intentionally enabled on devices where automation was written for telnet and it wasn't easy to switch to ssh.<p>If you investigate most commercial uses of ssh, the security is disabled or ignored. Nobody verifies host keys, and with automation where hosts cycle, you basically have to disable verification as there's no easy way around the host keys constantly changing. Without host key verification, there's kinda no point to the rest.<p>Even assuming the host keys were verified, the popular ssh conventions are to use either long-lived static keys (and almost nobody puts a password on theirs), or a password. Very few people use SSH with 2FA, and almost no-one uses ephemeral keys (OIDC) or certificates (which many people screw up).<p>So in terms of how people actually use it, SSH is one of the least secure transport methods. You'd be much more secure by using telnet over an HTTPS websocket with OAuth for login.
How do you automate, for example, "HTTPS over websocket with OAuth", without providing some kind of hard-coded, static or otherwise persistent authentication credentials to the calling system in some form (either certificate based auth, OAuth credentials, etc.)?<p>The problem with IoT and embedded secrets isn't really a solved problem, from what I can tell. I'm not sure that OAuth exactly solves the problem here. Though all your comments about SSH (especially host verification) holds true.<p>Just honestly trying to understand the possible solution space to the IoT problem and automated (non-human) authorization.
Unless you manage to leak your private host/client SSH keys, this is close to being as secure as it gets.<p>I'd say that HTTPS (or TLS in general) is more problematic, since you need to trust numerous root CAs in machine/browser store. Sure, you can use certificate pinning, but that has the same issues as SSH host key verification.
CA compromise is very rare and difficult. There are much easier attacks on TLS than that (notably, attacking insecure validation methods; the problem isn't that CAs aren't secure, it's that validation methods and their dependencies are insecure). Besides, the CAs for TLS only covers transport security; authentication+authorization would be handled securely through OIDC, using temporary sessions and not exposing the true credential, often combined with 2FA. Even you successfully attack a TLS server, two factors, and an active session, it only works once; you have to keep pulling it off to remain inside.<p>Compare that to malware that just copies a developer's ssh private key off the disk (again, almost nobody ever password protects theirs). This just happened recently on a massive scale with the npm attacks. Or intercepts the first connection from a client host and, again, because nobody ever validates keys, injects a false host key, and now they're pwnd indefinitely. Or, again, companies that do not strictly validate host keys, meaning immediate MitM. There's like a dozen ways to compromise SSH. It doesn't <i>have</i> to be that way, but it is that way, because of how people use it.
> Very few people use SSH with 2FA.<p>PCI DSS, HIPAA, and ISO 27001 each either highly recommend or enforce this.<p>I wouldn't use a jumphost without it.
> Nobody verifies host keys,<p>The known_hosts file <i>is</i> verification of host keys. It's not verification of a host cert, which is a different thing. Most sshd instances are running on ad hoc hardware without the ability to associate them with someone a cert authority would be willing to authenticate.<p>Basically people running services that need cert-based authentication are already using TLS (or if they're using sshd they've locked it down appropriately). SSH is for your workstation and your RPi and whatnot.
SSH certs aren't TLS certs. Totally different format. All SSH CAs are private, you run your own CA to issue certs to devices you want to allow to connect to your server.
It's... not about the file format.<p>The point is that a "private" cert is not a "cert" as commonly understood. The important part to a certification authority is the <i>AUTHORITY</i> part, not the data format. Either there is a trusted third party that will promise you are who you say you are, or there is not. With SSH, there is not, nor can there be as it is commonly deployed.<p>So applications that want that have used other protocols and other schemes, very productively.
>>Nobody verifies host keys,<p>>The known_hosts file is verification of host keys<p>I think the point was that those devices typically generate host keys dynamically and therefore the host key verification is usually turned off, leaving you just with encryption (which is still better than telnet - at least you're safe against passive adversaries). At least that's what I've seen in practice.
Hams use it over packet radio sometimes since encryption is forbidden on the amateur bands.<p>IMHO we need a good telnet replacement that sends signed data. Most people interpret signatures as allowed under FCC rules, just not encryption.
> IMHO we need a good telnet replacement that sends signed data. Most people interpret signatures as allowed under FCC rules, just not encryption.<p>I know from bitter experience that IPsec is a “now you have two problems” kind of solution, but the Authentication Header is a thing and is supported by most (all?) implementations. Ham radio operators probably don’t have much use for the actual <i>features</i> of telnet compared to plain netcat, do they? (It’s mostly terminal feature negotiation and such.)
You can use ssh with the None cipher, thus disabling encryption entirely while still using the rest of the protocol.
Most people don't care about FCC rules.<p>I'm breaking a tonne of FCC rules right now.
Yes but in many ways it's riskier to do that when you have a license from them.
In general, this is pretty true in practice.<p>Just dont mess with: GPS, Airline radio, cell phones, broadcast infra, emergency services<p>If you're blowing double the power for ISM, nobody cares. Your PEP using a yagi is 4x what is legal? Unless you piss off a ham, nobody cares.<p>And even if you are a ham, and are using 150KHz bandwidth with low power in, say 50MHz (regulation says 40KHz max), again, nobody cares.<p>And also if above 6GHz (common SDR top end), nobody will notice. The equipment up there is $$$$$.<p>But damn, you want to piss off hams? Mention bitrate maximums or encryption. You'll never hear the end from the old gatekeeping idiots.
> But damn, you want to piss off hams? Mention bitrate maximums or encryption. You'll never hear the end from the old gatekeeping idiots.<p>So much gatekeeping.<p>Incidentally, I have it Word From On High within Ofcom here in the UK that you literally cannot pay them to take an interest in what happens on the amateur bands.<p>There's "breaking the law" and there's "being a bit rude", the latter of which might be things like "hey let's do fastscan TV on 70cm and use about half the allocation!" You <i>do</i> have to watch with 70cm in the UK though because amateur radio is a secondary user, with primary users being the armed forces. But it's 10MHz wide and there's space for everyone to play.<p>Putting the 70cm packet BBS channel 5kHz above where all the car alarm keyfobs work was a bit silly though.<p>As regards microwave stuff, I've got some scrap 26GHz stuff at work that can apparently be tuned to 24GHz by swapping the cavity tuning screw for one of the slightly longer ODU outer cover screws, and tweaking a setting in the EEPROM in Factory Never Touch This Shit mode. Want to bet they had radio amateurs working for them?
One? All the talkers still use it and all the MUDs/MOOs etc. far out number the talkers.
Some of us still run historical systems for preservation's sake.
As I understand it, greynoise is monitoring scanner traffic, so yes this would all be scans or attacks
How else would I connect to my BBS to play L.O.R.D. and check FidoNet.
One reason would be to play MUDs, which are very well and alive these days!
nethack.alt.org still maintains a telnet server!
I've always used ssh to connect to it. And it's true that their port 23 is still open at last check. If you cannot reach port 23, and you irrationally hate ssh, you may use 14321 as an alternate.<p><a href="https://www.alt.org/nethack/" rel="nofollow">https://www.alt.org/nethack/</a>
telnet lambda.moo.mud.org 8888
MUDs were my introduction to telnet- I grew up a university kid and had access to Wesleyan's minicomputer EAGLE.WESLEYAN.EDU running OpenVMS. I used it to telnet to CMU's TinyMUD and later other TinyMUDs around the country. I recall OpenVMS's telnet had a problem with newlines/carriage returns so all the text was staircased, so I ended up learning C and writing a MUD client. I still habitually use telnet today even if netcat and many other tools have replaced it.<p>All of that was foundational for my career and I still look back fondly on the technology of the time, which tended to be fairly "open" to exploration by curious-minded teenagers.
For a few weeks I ran a MUD over AX.25 for a couple of my friends.<p>Because on their own, MUDs aren't nerdy enough, amateur radio isn't nerdy enough, and indeed packet radio isn't nerdy enough.<p>Eventually we decided we'd had our fun and now I needed to the TNC for something else.
Ah, my grandfather was a ham (N4MDB) and he always tried to get me interested in it, but I had to tell him I preferred the internet (this was late 80's, so few people actually had internet). Later when I read Stevens networking books I learned there was a whole Hawaii-based packet radio (ALOHAnet) , and the UC campuses had intercampus microwave networking for a while as well. I actually still remember him telling me about bouncing radio waves off the atmosphere which seemed like magic to me at the time.
Probably one of the reasons this bug survived so long is that it isn't used much for priveleged access any more, but so you can play a moo or play you an ASCII movie, as people below you are replying.
Aardwolf works well from my work laptop. And I don’t care if someone sees what I’m doing
I run a DikuMUD that users connect to using Telnet<p>I really should update it to allow more secure options
> that users connect to using Telnet<p>Not anymore ;)<p>Seriously though: did you notice any spikes up or down?<p>If you'd run it on a non-standard port, anyone can still connect with netcat, socat, etc etc.
Ah, not really. We are on a non-standard port (9000). I just meant some folks use the telnet client to connect, and we do negotiate some telnet options. I use tintin++ these days but I think most of our players are still using decades old zMUD versions to connect!
I always preferred gmud, but zmud has all the bells and whistles. All I needed was ANSI color, aliases, triggers, and command history.<p>How can I get access?
Or with telnet (the client)
To play DOOM.<p><pre><code> telnet doom.w-graj.net 666</code></pre>
Telnet will live on, in areas it probably shouldn't like industrial controls systems, switch management, regulated industries, printing, etc.
I'm slightly taken aback by the telnetd fix: The solution to the username "-f root" being interpreted as two arguments to /usr/bin/login is to add a "sanitize" function, really? I'm not seeing the sense in that. Surely in any case where the sanitize functions changes something, the login will fail. Better to error out early than to sanitize and try to hobble along.<p>What I'd like to know is how the arguments get interpreted like that in the first place. If I try giving that kind of argument /usr/bin/login directly, its argument parser chides me:<p><pre><code> $ login '-f root'
login: illegal option --
</code></pre>
What's telnetd doing differently? Is it invoking login via a shell?
You passed '-f root' to login (a single long string). telnetd is likely passing '-f' 'root' to login (two arguments instead of one, whether this is because it creates two, or it uses the shell (which then reparses) I don't know).<p>But '-f' is a valid option to login (man login):<p>login [-p] [-h host] [-H] [-f username|username]<p>...<p>-f Used to skip a login authentication. This option is usually used by the getty(8) autologin feature.
On the bright side that CVE seems like pretty great news for the hardware hacking community hoping to get root on embedded devices which have open telnetd.
The scope of this CVE and the response to it are genuinely wild.<p>It's crazy to think that <i>some dude</i> is singlehandedly responsible for ultimately ending the telnet era in such a definitive way.<p>One for the history books.
The CVE referenced is caused by this commit:<p><a href="https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87" rel="nofollow">https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c28...</a><p>One of the changes is:<p><pre><code> - getterminaltype (char *user_name, size_t len)
+ getterminaltype (char *uname, size_t len)
</code></pre>
What is the reason for a rename these days? If I saw that in a code review I’d immediately get annoyed (and probably pay more attention)
From ChangeLog:<p><pre><code> * telnetd/utility.c (getterminaltype): Change the
name `user_name' to `uname', as the former shadows a precious
and global variable name.</code></pre>
Wouldn't attention to getenv() calls yield more benefit? Such calls are where input typically isn't parsed--because parsing is "hard"--becoming targets for exploit.<p>The present fix is to sanitize user input. Does it cover all cases?
> Someone upstream of a significant chunk of the internet’s transit infrastructure apparently decided telnet traffic isn’t worth carrying anymore. That’s probably the right call.<p>Does this impact traffic for MUDs at all? I know several MUDs operate on nonstandard Telnet ports, but many still allow connection on port 23. Does this block end-to-end Telnet traffic, or does it only block attempts to access Telnet services on the backbone relays themselves?
Most MUDs do not use Telnet.<p>MUDs use plaintext TCP protocols that are accessible to a wide range of clients.<p>The Telnet protocol is well-defined and not completely plaintext. There are in-band signaling methods and negotiations. Telnet is defined to live on 23/tcp as an IANA well-known, privileged, reserved port.<p>MUDs do none of this. You can usually connect to a MUD using a Telnet client, but most players hate the experience and often deride this method in favor of a dedicated, programmable client.<p>The fact that MUDs inhabit higher 4-digit ports is an artifact from their beginnings as unprivileged, user-run servers without a standardized protocol or an assigned “well-known port” presence. If you want your MUD to be particularly inaccessible, you could certainly run on port 23 now!
As a MUD enthusiast of two decades, this is not accurate. Where are you getting this information?<p>Most MUDs implement RFC 854, and a number of non-standard Telnet option subnegotiation protocols have been adopted for compression (MCCP2), transmission of unrendered data (ATCP, GMCP, ZMP), and even a mechanism for enabling marking up the normal content using XML-style tags (MXP). These telopts <i>build on</i> the subnegotiation facility in standard Telnet, whose designers knew that the base protocol would be insufficient for many needs; there are a great number of IANA-controlled and standardized telopt codes that demonstrate this, and the MUD community has developed extensions using that same mechanism.<p>> You can usually connect to a MUD using a Telnet client, but most players hate the experience and often deride this method in favor of a dedicated, programmable client.<p>I think you are confusing "telnet" the program with "telnet" the protocol. I am speaking here of the protocol, defined at base in RFC 854, for which "telnet" the program is but one particularly common implementation. You look at any of those "dedicated, programmable clients" and they will contain an implementation of RFC 854, probably also an implementation of RFC 1143 (which nails down the rules of subnegotiation in order to prevent negotiation loops), and an implementation of the RFCs for several standard telopts as well as non-standardized MUD community telopts. I can speak for the behavior of MUSHclient in especial regard here, though I am also familiar with the underlying Telnet nature of Mudlet, ZMud, and CMUD, not to mention my very own custom-made prototype client for which I very much needed to implement Telnet as described above.
Yes, perhaps we should define “MUD” and your incomplete experience of “most”.<p>As a MUD enthusiast for 37 years, I learned to program in C and Unix through TinyMUD, MUCK, and MUSH derived servers. From the beginning, none of these codebases implemted Telnet. There was nothing but a raw transparent TCP connection. In fact, I facilitated the introduction of a grand innovation: the "port concentrator" system which multiplexed TCP connections. Unix processes had a hard rlimit of 64 file descriptors, which crimped our style as an emerging MMORPG. The multiplexer increased this to 4096, for the biggest games of the era.<p>You mention MUSHclient, and I do not know about later revisions of the TinyMUSH server, but I can assure you that every MUSH I found from Larry Foard on, was not implementing Telnet. (I was privileged to help Larry "test" new features as I red-teamed his server with bizarre edge cases!)<p>Likewise, after I handed off TinyMUCK 2.3 to the furries, it was not doing the Telnet protocol. When we backported stuff to MUCK 1.x, it was not doing Telnet. I wrote a bonkers Perl program to read MUCK databases and sort of implement the game. No Telnet there. I've got to wonder whether the Ubermud or MOO guys had folded it in; they were close collaborators with us, back in the day.<p>Now as for the Diku, LP, and other “combat” type games, I’ve no idea. Perhaps they did. We never cared. I was aware that some of them had a pesky “prompt” that violated the line-mode assumptions of conventional clients and needed workarounds.<p>telnet(1), the program, was historically the only program that implemented the protocol. If you use Tinyfugue or Tinywar or tinymud.el, they are not, and no, I am not confused, because I was giving an example of why the Telnet-implementation, the program, the client, was so inadequate for playing on MUD servers.<p>It wouldn’t have been difficult to retrofit the Telnet RFC 854 into any MUD server, but none of us wizards had any use for it, seeing that our clients were mature and capable of much more processing without it.<p>If modern MUD servers have mostly implemented Telnet, then that is cool, but what surprises me is that it is mandatory, and your clients don’t seem to interoperate without it? That is a strange reversal!
The modern MUSH forks do generally support telnet, but yes -- as a 29 year old who's been pathologically obsessed with "MUD archeology" off and on, I'll confirm -- historically, most MUDs did not do any sort of Telnet negotiation.<p>Further, most older clients did not anticipate any kind of Telnet negotiation from the server, and will print garbage to the screen if connecting to modern MUSHes that do. (I've tested tinywar, vt, and that one VMS client...)<p>MUCKs never, to my knowledge, implemented telnet, though. They barely support ANSI escapes, nevermind Telnet. :-)
> [...] no, I am not confused, because I was giving an example of why the Telnet-implementation, the program, the client, was so inadequate for playing on MUD servers.<p>Then this is at the heart of our disconnect, because the post of mine that you originally replied to --- as well as, unless I drastically misread, the original article under discussion --- was concerned with traffic on port 23, the Telnet protocol port, and not with any particular implementation communicating on that port. The concern of my original comment was that this might affect MUDs that operate on port 23. Perhaps you can understand my confusion when you reply stating categorically that most MUDs do not use "Telnet" (meaning the program), when that wasn't really what was at concern (and therefore implied that my question had no basis).<p>It is a true fact that many MUDs operate on port 23. Many do not, but you can skim a MUD aggregator like MudConnect [0] to see that it is quite common. Aardwolf, Discworld MUD, and the IRE games --- which consistently topped TopMudSites (when that aggregator was still running, anyway) all operate on 23, potentially in addition to an unreserved port.<p>> what surprises me is that it is mandatory, and your clients don’t seem to interoperate without it? That is a strange reversal!<p>All telopts are disabled by default, per Telnet RFC; the only things you must absolutely parse under the RFC are the standard complement of NVT commands (such as IAC GA "Go Ahead"), even if they are otherwise implemented as no-ops.<p>Any input stream with the high bit clear is treated as pure data -- with the incidental exception of bare `\r`, which must always be followed either by `\n` or by `\0`; but Postel's Law has turned that into more of a guideline. So as long as the standard NVT encoding is assumed (which is just 7-bit ASCII) and the NVT core escape sequences are avoided, a modern Telnet-based MUD client can interoperate with a plaintext MUD server without issue. (As you know, this is also why people get away with using `telnet` (the program) to access HTTP and SMTP services instead of using something like netcat.)<p>Some MUD clients will eagerly send IAC DO / IAC WILL subnegotiations, but general practice is to let the server offer first -- probably precisely to ensure compatibility with MUDs that don't implement Telnet subnegotiations.<p>> Now as for the Diku, LP, and other “combat” type games, I’ve no idea<p>Diku-family MUDs are certainly the ones I have the most experience with. I understand LP MUDs also generally have Telnet support; or at least, I recall seeing a patch for them that MUD owners often sought to apply to their games.<p>[0]: <a href="https://www.mudconnect.com/cgi-bin/search.cgi?mode=tmc_biglist" rel="nofollow">https://www.mudconnect.com/cgi-bin/search.cgi?mode=tmc_bigli...</a>
> <i>MUDs do none of this.</i><p>MOOs do.
It wasn’t clear from the article but I assumed they were filtering for the attack specifically.<p>Since Telnet is totally plain text that would absolutely be easy to do right?
Wouldn't that imply that >80% of all monitored telnet sessions were exploit attempts for the specific CVE in question? Even with the scale of modern botnets, that seems unrealistic for a single vuln that was undisclosed at the time.
Not at interconnect speeds
It seems like they are doing a port based block similar to how residential lines often have their SMTP ports shut off.<p>That said in this day and age, servers on the public network really ought to use SSH.
When I was an intern for some reason they issued me a voip phone for my desk. One day I got bored and figured out I could telnet into it. Nothing interesting but it was still a fun moment for me!
So eleven years ago someone put a backdoor in the Telnet daemon.<p>Who?<p>Where's the commit?
<a href="https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87" rel="nofollow">https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c28...</a>
That link goes to a page full of random garbage. No commits there to be seen.<p>Apparently the owners of that website don't like my choice of user agent, and have decided to punish me accordingly.
That's crazy. This is core business critical software but they just YOLO critical changes without any automated tests? this PR would be insta-rejected in the small SAAS shop I work at.
Culture has changed a lot since the 20th century and older projects can have antiquated norms around things like testing. I was just listening to a recent podcast talking about how worrisome it is that OpenSSL has a casual culture about testing[1] and was reminded about how normal that used to be. I think in the case of telnetd you also have the problem that it’s been deprecated for multiple decades so I’d bet that they struggle even more than average to find maintainer time.<p>1. <a href="https://securitycryptographywhatever.com/2026/02/01/python-cryptography-breaks-up-with-openssl/" rel="nofollow">https://securitycryptographywhatever.com/2026/02/01/python-c...</a>
Even with automated tests you'd need to think of this exploit right? Perhaps fuzzing would have got it. The mailing lists says they proved it successful on<p>- OpenIndiana<p>- FreeBSD<p>- Debian GNU/Linux<p>So not complete YOLO.<p>See <a href="https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html" rel="nofollow">https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg...</a><p>FWIW, a well known LLM agent, when I asked for a review of the patch, did suggest it was dodgy but didn't pick up the severity of how dodgy it was.
If you think you can do better you're welcome to do better. I say this without a hint of sarcasm. This is how open source works. It's a do–ocracy, not a democracy. Whoever makes a telnet server gets to decide how the telnet server works and how much testing it gets before release.
Any business that has a telnet daemon able to be reached by an unauthenticated user is negligent. Just the fact that everything is in the clear is reason enough to never use it outside of protected networks.
Most 90’s era software had zero tests. Nobody gave it a second thought.
There's a famous XKCD about this: <a href="https://xkcd.com/2347/" rel="nofollow">https://xkcd.com/2347/</a><p>In this case the hero's name is apparently Simon Josefsson (maintainer).
<a href="https://xkcd.com/2347/" rel="nofollow">https://xkcd.com/2347/</a><p>Ah, someone beat me to it!
It can't be critical business software if the business to which it is critical isn't paying anything for it.<p>/s
Telnet's cleartext and always has been. A backdoor seems like overkill.
> backdoor<p>Do you mean that it's intentional? Why do you think so?
It wasn't a backdoor, just a very serious security bug. Congrats on jumping straight to conspiracy and paranoia, though.
It's nice to not see C being blamed for once! ... Just good old lack of reasoning (which is most C's codebase downfall, agreeably).
Kind of "funny" affected service is BGP RouteViews CLI access, still running over telnet: <a href="https://archive.routeviews.org/" rel="nofollow">https://archive.routeviews.org/</a> (scroll to bottom of the page)<p>Isn't this one of the remaining, "legit" uses of the Telnet protocol on TCP/23 port over the public Internet?
Stranger article. I wasn't able to get the main point of this article. Strangely written, but hey - I'm nob native by any means.<p>ps.<p>telnet SDF.org<p>just works...
An RCE in GNU's telnetd has no relationship to the sunsetting of telnet. Something could equally likely happen with SSH (but not really because the OpenBSD folks are paranoid by nature).<p>Apple removing the telnet client from OS X was a stupid move. How can you call yourself UNIX and not have a telnet client? It's like removing grep or ed.
Thats what the mystery exceptions for the Open Group macOS UNIX certification was for!
There's always nc hostname 23 unless you need authentication
There's no UNIX requirement for telnet.<p>Ubuntu does not include it by default (starting 16.04?). Most most distros don't.
Two wrongs don't make a right.<p>Apple still includes uucp for some unknown reason.<p>The saving disk space argument makes no sense because telnet was one of the smaller binaries in /usr/bin.<p>Telnet continues to be widely used for select use cases and being told we're naughty by not including it feels punitive and just adds extra steps. What are you supposed to do, trash a $1m piece of industrial equipment because Apple wants to remind you Telnet is insecure?<p>New devices are still being released with Telnet where SSH is impractical or unnecessary.
There are many things I want to say in reply to this. So I’ll bullet point them:<p>* yes, do not buy equipment that has acquired so much tech debt that it still requires telnet.<p>* there are a million telnet clients out in the world. And ones far better than the default OS one. Apple not shipping one standard is not the end of the world or really anything more than a mild inconvenience for the small handful of people who need actual “Telnet” as opposed to Netcat or socat, both of which are far better than base Telnet.
> yes, do not buy equipment that has acquired so much tech debt that it still requires telnet.<p>No, you already own this capital equipment. It's the laptops running macOS that are ephemeral and disposable.<p>I don't care for excuses or workarounds; why did they do it?<p>It was an explicit decision whilst leaving a lot more—arguably more useless—garbage in.<p>Every OS that removed telnet did so for a symbolic reason, not because it was helpful technically.
You can have it, it’s not on the base install.<p>99% of Mac users never use it, directly or indirectly. Asking that they have it anyway is a self centric view.
Ubuntu and derivates removing telnet from the default install, along with other basic tools like traceroute etc, was one of the driving factors toward me creating my own distro. I'm sick of basic stuff being omitted because somebody just decided it's not needed anymore.
Netcat works as a telnet client. GAWK can do that too with a dumb loop. So can con(1) under 9front.
Port 23 has decreased significantly over the past decade:<p><a href="https://i.imgur.com/tZoTWu6.png" rel="nofollow">https://i.imgur.com/tZoTWu6.png</a><p>Still seeing a sizable number of open ports but it's on the decline.
Am I the only one who feels like it isn't the responsibility of backbone ISPs to filter traffic like this? In the case of a DDoS situation I could get behind it, but in this case I feel as though it's not Cogent's problem if I want to use telnet from a device on Charter's network to a Vultr VPS, even if it may be ill-advised.<p>(Of course, the article only speculates that this traffic filtering is what's going on; there isn't any hard proof, but it feels plausible to me.)
Interesting... I hadn't been watching, but I average around 2000 unique IPs for telnet... there was a brief 7500 IP spike in the middle of January, but it was short lived. There was a smaller blip just at the end of January, but going into February it's actually down around 1000.
For about 15 years beginning in 2003 I had some VPSs with CrystalTech/NewTek. I noticed right away that they had blocked all port 23 traffic in/out of their edge.<p>I asked them about it and they said it was a security measure. Apparently they used telnet for managing their routers.<p>It turned out that they did not have very good security anyway.<p><a href="https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites" rel="nofollow">https://krebsonsecurity.com/2018/02/domain-theft-strands-tho...</a><p>I switched to A2 hosting shortly after the above incident, but I dumped them when they did not keep up to date on their Ubuntu LTS OS options.<p>I've been running on AWS for the past eight years. It costs more, but it's been extraordinarily reliable.<p>A2 and AWS do not restrict port 23.
I still used telnet today (had to). Unsure of the patching here. But its definitely locked down to a subset of internal use only.
77k hosts with port 23 open <a href="https://www.shodan.io/search?query=telnet" rel="nofollow">https://www.shodan.io/search?query=telnet</a>
It's more like telnetd died rather than telnet died.<p>btw if you want a quick telnet client, and an old python happens to be installed, you can use `python -m telnetlib IP`
Since Tier 1 transit providers have now blocked telnet (port 23), this means the death of watching ASCII Star Wars with `telnet towel.blinkenlights.nl`<p>However, if you still long for nostalgia, I was able to access it over IPv6 using a VPN based in the Netherlands:<p><pre><code> telnet 2001:7b8:666:ffff::1:42
</code></pre>
I'm sure the port 23 telnet blocking will be coming to IPv6 soon though.
More likely a specific botnet had it's c2 or telnet scanning report endpoint go down / get nulled on Jan 14th.
The design of telnet and ssh where you have a daemon running as root is bad security that as shown here is a liability, a ticking time bomb ready to give attackers root.
Oldschool telnetd didn’t actually run as root; rather, it just set up a PTY for the incoming socket to talk to, and then fork-exec’ed a /bin/login subprocess to live inside that pty. /bin/login is setuid-root, so it’s “where the security lived.”<p>I think we all collectively decided that that was a bad idea at some point — probably because /bin/login was never designed under the assumption that it would have to deal with arbitrary binary network traffic being thrown at it (it really only expects keyboard input.) So we switched to doing auth directly in our network daemons, since at least then “people who are aware the code is network-facing” would be maintaining it.
What do you think proper architecture would be, given that ssh needs a capability to let root logins?<p>I suppose it could be via a proper PAM module, which is widely supported.<p>Too bad the first PAM RFC was published about the same time the first be version of ssh was released.
> ssh needs a capability to let root logins<p>One can disable root login via SSH in /etc/ssh/sshd_config. sshd also drops root priviledges once it's running IIRC.<p>I use use sudo or doas as a regular user once logged in.
Does ssh need to allow root logins?<p>Sshing as a regular user and then sudo to root works 95% of the time…
I think a proper architecture would not even have a root account. The server would just expose an authenticated endpoint that allows for configuration and updates to be pushed for it.
OpenSSH has been moving quite quickly in the direction of multiple, privilege separated processes, each also heavily sandboxed with pledge and unveil
Literally how else is a remote login daemon supposed to work though?
1. Start with root to bind the port below 1024.<p>2. give up root because you don't need it any further.<p>3. Only accept non-root logins<p>4. when a user creates a session, if they need root within the session they can obtain it via sudo or su.
That still needs a way to change users, and OpenSSH already has privilege separation. That hardens the process somewhat to reduce the amount of code running in the process which can change the uid for a session but fundamentally something needs permission to call setuid() or the equivalent.
Congratulations, you've created a server that lets people have shells running as the user running telnetd.<p>You presumably want them to run as any (non root) user. The capability you need for that, to impersonate arbitrary (non-root) users on the system, is pretty damn close to being root.
You still need to have privileges to become the userid of the user logging in. Openssh does do privsep, but you still need a privileged daemon.
I'm not sure that you need root because of the port - I think login itself needs to run as root, otherwise it cant login to anything other than the account its running under.
The remote daemon has its own account and is given a privilege that allows it to connect a network socket to a pseudo terminal.
Those are already unprivileged operations, but how does it start the initial process in that terminal with the correct privileges for a different user?
Any breach of the daemon will still give access to a system that can approve/deny user logins. Breaching the daemon therefore allows permission escalation, because you can simply jump to an account. Chain with any local vuln of your choice to completely own the box.<p>It doesn't matter what user it is running as.<p>If this was so easy to deal with, someone would have done it. Instead, we get endless HN comments about people that act like they can do better but never submit a PR.
Breaching the daemon only allows for the attacker to get access to the login. User accounts should still be secured requiring authentication.<p>>If this was so easy to deal with, someone would have done it.<p>Sadly this is not the case. There is a lot of inertia towards solutions like ssh or sudo. It may be easy to delete them, but actually getting such a changed accepted is no trivial task.
> Breaching the daemon only allows for the attacker to get access to the login<p>Yes, but potentially <i>any</i> login. See the problem? If you compromise the gatekeeper, you are now the keymaster. Or whatever :)
Between you and me telnet is not dead. Sometimes I use it to probe a port to verify it is working.
You might wanna use netcat for that instead [1]. Or, for example, socat [2]. Netcat has been around for a long, long time now.<p>[1] nc (1) - arbitrary TCP and UDP connections and listens<p>[2] socat (1) - Multipurpose relay (SOcket CAT)
That's not really telnet. Yeah, it's using the same client, but the server and underlying protocol are what's relevant here.<p>The modern replacement for telnet used in the "probe a port" fashion is nc/netcat.
This is about Telnetd. Not telnet itself.
<p><pre><code> 1. TELNET is an IETF-standard protocol defined by RFCs.
2. Telnet is a well-known port assigned by the IANA (tcp/23).
3. telnet is a client program, originated on Unix, available on many systems, and likely from a quite homogeneous codebase.
4. telnetd is a server program, also originated on Unix for the purpose of implementing Telnet protocol as a login server. Also a homogeneous codebase or two.
</code></pre>
TFA is about items 2 and 4, and 1/3 are completely unrelated.<p>IIRC, the <i>only</i> traffic that was monitored and detected here is the scanning. The vulnerability scanners that try and detect, for better or worse, what someone's running on port 23, fingerprint it, and figure out if it's a vulnerability.<p>Interestingly, filtering port 23 only mitigates the CVE by happenstance. It is merely by convention that telnetd runs on port 23, so that people can use it to log in remotely. There is no constraint that requires port 23. Any other service could usurp 23/tcp for itself if the admin decrees it. So, filtering port 23 is an effective mitigation for the defaults of someone running a vulnerable server on the standard port. But it is not a panacea, and it doesn't prevent anyone from using the telnetd server, or the telnet client, except for port 23.<p>But it also prevents you from offering any service on port 23/tcp, lest it be filtered. You wouldn't want to run a web server, sshd, a MUD, or anything else, because your connectivity would be negatively impacted for this reason. (The common experience is that a lot of Windows SMB/NetBIOS ports are blocked, and SMTP and port 80, on a lot of consumer ISPs, although this is contrasting the ISP situation to Tier-1 transit carriers now.)
...except that port 23 seems to now be filtered across the internet at large, leading to a huge drop-off in telnet traffic over the course of days if not hours. I think it's safe to say that even if you patch telnetd, being able to use telnet over the internet is not possible in many places (including Canada, according to the data).
I used to telnet into my POP3 account and check email by protocol. Shucks.
Am I the only one who finds this suspicious ? About Telnetd “…The vulnerable code was introduced in a 2015 commit and sat undiscovered for nearly 11 years.”
Okay, it is really weird. This was not an exploit difficult to pull off, or discover. It is such an elementary error that any script kiddie could have leveraged it anywhere, once it was understood.<p>Is there proof or evidence that it was never exploited in all of 10 years and remained as a latent zero-day?<p>The only saving grace I would propose, is that since telnetd has been aggressively deprecated once ssh became popular, and encryption became ubiquitous, and remote exploits became commonplace, and Starbucks WiFi was routinely surveilled, that telnetd simply wasn't running anywhere, anymore.<p>We have commenters saying that embedded systems and IoT used telnet servers. But were they running an actual GNU telnetd or just a management interface that answered on port 23/tcp? Commenters are citing statistics of "open port 23", but that means nothing in terms of this CVE, if it ain't GNU telnetd. Cisco has literally always used port 23 for management. Other routers and network devices use port 23 without telnetd.<p>How popular was GNU telnetd to be running on a system and exposed to the Internet? This article pertains to all the port-scanners running everywhere, so surely someone with a Shodan account can make a survey and tell us: who was still exposing GNU telnetd in 2026?
Time to switch to SUPDUP!
Why would somebody read something that somebody couldn't be bothered to write? This article is AI slop.
What stood out as AI written? It felt like a well-written article by an SME to me.
Not the original commenter, but I noticed it too. I guess it's hard since AI is trained on human content, so presumably humans write like this too, but a few that stood out to me:<p>> Five entire countries vanished from GreyNoise telnet data: Zimbabwe, Ukraine, Canada, Poland, and Egypt. Not reduced — zero.<p>> An attacker sends -f root as the username value, and login(1) obediently skips authentication, handing over a root shell. No credentials required. No user interaction.<p>> The GreyNoise Global Observation Grid recorded a sudden, sustained collapse in global telnet traffic — not a gradual decline, not scanner attrition, not a data pipeline problem, but a step function. One hour, ~74,000 sessions. The next, ~22,000.<p>> That kind of step function — propagating within a single hour window — reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations.<p>(and I'm not just pointing these out because of the em dashes)<p>GPTZero (which is just another AI model that can have similar flaws and is definitely not infallible, but is at least another data point) rates my excerpts as 78% chance AI written, 22% chance of AI-human mix.<p>To me at least, the article still seems to be majority human-written, though.
Also, one of the authors is "Orbie", which looks like an AI name, and if you go and read through some of the recent posts, all of the posts with that author feel very LLM-y and bland, and the posts without that author are <i>much</i> more normal.<p>GGP has a good eye.
Personally, I found the spoof song in the middle of very dry writing to be jarring. But I didn't think it sounded AI written.
[dead]
Ah. Telnet. My oscilloscope still talks telnet, and this is the reason why that type of equipment is on an isolated net.
> required. No user interaction. The vulnerable code was introduced in a 2015 commit and sat undiscovered for nearly 11 years.<p>I think about this quote a lot:
given enough eyeballs, all bugs are shallow
Your cookie banner is very inconvenient and made me leave your website and not read the article
telnet isn't just for ... telnet.<p><pre><code> $ telnet smtp.example.co.uk 25
HELO me
MAIL FROM: gerdesj@example2.co.uk
RCPT TO: gerdesj@example.co.uk
DATA
</code></pre>
.. or you can use SWAKS! For some odd reason telnet is becoming rare as an installed binary.
The difference between "telnet" the program and "telnet" the protocol is especially important in this discussion, I think.<p>A more "proper" tool for that is netcat -- I doubt SMTP supports the Telnet option negotiations subsystem. (I also doubt SMTP servers can interpret the full suite of Network Virtual Terminal (NVT) commands that the Telnet protocol supports.) There's clearly enough similarity between the two protocols that if you're just using it to transfer plaintext it will probably work out fine, but they are distinct protocols.
I used telnet(1) as a generic TCP text client for many years before switching to GNU/BSD netcat. Nowadays, netcat is more prominent then telnet, and telnet had its corner cases with control characters.<p>Never heard about <a href="https://jetmore.org/john/code/swaks/" rel="nofollow">https://jetmore.org/john/code/swaks/</a>, thanks for the tip.
You want nc (usually with -v) or socat. telnet is muscle memory for a lot of people (myself included sometimes) but it's a strictly inferior choice these days for poking arbitrary plaintext services.
I discovered swaks recently, god I love that tool
Who actually uses the tectia ssh client instead of openssh?
telnet + shijack = good times
port 22 2FA
<i>The pattern points toward one or more North American Tier 1 transit providers implementing port 23 filtering</i>
[dead]
[dead]
I think it would be better suited to use the terms we use for natural languages. A natural language is dead when the last person who learned it as first language dies and are extinct when there is noone that would speak it at all.<p>In these terms, telnet has been dead for a long while, but it's extinct now.
Even that's argued within linguistics. There are languages which survive for generations as secondary languages (especially trade languages as Swahili or Chinook Jargon appear to have been originally). Also some like Latin, Hebrew and Sanskrit which survive for centuries but not as native languages.
Can you cite sources where this is argued?<p>The wikipedia seems to make a clear definition:<p><a href="https://en.wikipedia.org/wiki/Language_death" rel="nofollow">https://en.wikipedia.org/wiki/Language_death</a><p>That said, the above article does use extinction and death somewhat interchangably later on, but I suppose it's almost the same for small languages that nobody learns who is not a native speaker.
There are plenty of languages which exist without much in the way of L1 speakers. Esperanto, for example, although it does have a handful of native speakers. Many people speak English as a non-native language, particularly in places like India or Nigeria. Swahili was originally a trade language few folk spoke and even today, many of its speakers are L2.<p>I can speak and read some Manx. I personally don't believe it died in the 1970s. Not only do we have continuity from that time, there are people around today who learnt theirs off native speakers (in one case they were his close relatives.) It helps that we have many recordings, writings etc and it is also closely related to two languages which are in slightly better shape.<p>Latin and Hebrew were in use within the Middle Ages to a substantial level and used to communicate between people as a common language sometimes. Hebrew is now revived, but is Latin? A few people have spoken it as their first language over the last century or two.
[dead]
[flagged]
The most interesting thing here isn't the CVE - it's the invisible coordination. A backbone provider acted on advance knowledge of a critical flaw, implemented filtering at scale, and the rest of us didn't notice until GreyNoise's data showed the drop. The vulnerability got patched at the network layer before it ever reached the application layer. This is what mature security ecosystems look like - the boring, quiet fixes that happen before the press release.
Stop spamming AI slop
?
You comment reads very AI generated. From the, it's not X it's y, to the overdramatization of completely normal events (i.e. key infrastructure providers are notified of CVEs before they are disclosed so impact is minimized)
because it reads like claude output?<p>and also the pattern:<p>> The most interesting thing here isn't the CVE… This is what mature security…<p>> The most interesting finding isn't that hyperbolic growth… This is Kuhnian paradigm…<p>both comments in the last 24h