Port reference
Port 23 (TCP) – Telnet
Unencrypted remote terminal protocol for interactive login and device management.
Quick facts
- Transport
- tcp
- Category
- Well-known
- TLS
- Cleartext
- Risk level
- High
Frequently targeted — restrict exposure and harden it.
Use a secure alternative
This is a legacy or cleartext protocol. Prefer the encrypted equivalent:
Default state
Disabled on modern OSes but still enabled by default on many routers, switches, IoT, and industrial devices.
Common attacks
- Cleartext credential capture via sniffing
- Default and weak credentials on routers and IoT
- Mass botnet infection (Mirai-style) of exposed devices
- Credential brute force and password spraying
Hardening
- Disable Telnet entirely and use SSH (port 22) instead
- If unavoidable, restrict to an isolated management VLAN, never the internet
- Change all default credentials and enforce strong passwords
- Block port 23 inbound at the perimeter firewall
nmap snippet
nmap -p23 --script telnet-encryption,telnet-ntlm-info,banner <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :23
nmap -p 23 <target>netstat -ano | findstr :23
Test-NetConnection <host> -Port 23lsof -i :23
nmap -p 23 <target>How to block this port
sudo ufw deny 23/tcpsudo firewall-cmd --permanent --remove-port=23/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 23 -j DROPNew-NetFirewallRule -DisplayName "Block 23" -Direction Inbound -Protocol TCP -LocalPort 23 -Action BlockWhat runs on port 23?
Port 23 is the default port for Telnet, one of the original remote-terminal protocols. It provides an interactive command-line session to a remote host or device. Modern operating systems have removed or disabled it in favor of SSH, but it remains enabled by default on plenty of routers, switches, IoT gadgets, printers, and industrial equipment, where it is used for configuration and management.
Why it matters for security
Telnet has no encryption whatsoever. Usernames, passwords, commands, and output all travel in cleartext, so anyone who can observe the traffic — on the same LAN, an upstream link, or a compromised device — can read the entire session and harvest credentials. Combined with the default passwords common on the embedded devices that still run it, an open port 23 is one of the easiest footholds an attacker can find.
How it's attacked
The simplest attack is passive sniffing to capture credentials from a session. At internet scale, botnets such as Mirai continuously scan port 23 and log in to IoT devices using lists of default and weak credentials, conscripting them into DDoS swarms. Beyond that, attackers run brute-force / password spraying against any exposed Telnet service. There is no transport security to slow any of this down.
Hardening checklist
Disable Telnet completely and use SSH (port 22) for all remote management. If a legacy device truly cannot do SSH, confine Telnet to an isolated management VLAN that is never reachable from the internet, change every default credential, and enforce strong passwords. Block inbound port 23 at the perimeter firewall. The nmap snippet above checks whether encryption is offered and grabs the banner so you can find exposed Telnet on systems you are authorized to test.
Related ports
Frequently asked questions
- Is port 23 dangerous?
- Yes. Telnet sends everything, including passwords, in cleartext and has no encryption. Anyone on the path can read credentials, and exposed devices are mass-targeted by botnets. Use SSH instead.
- Why is Telnet still used?
- Legacy routers, switches, IoT, and industrial gear often ship with Telnet enabled for convenience. It should be disabled in favor of SSH wherever possible.