How to Detect Devices on Your Network Running Telnet Services

Last updated at Tue, 09 Jan 2024 22:36:11 GMT

What is Telnet?

Telnet is one of the oldest network protocols used on the internet or local area networks to provide a bidirectional, interactive, text-oriented communication facility using a virtual terminal connection. Telnet was developed in 1969 and it is still widely used today for configuring network devices.

Telnet typically uses Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc. This is important when it comes to detecting Telnet on your network, since you can’t just go off looking for devices that are listening on TCP port 23.

Why worry about Telnet network traffic?

Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files, and creation or destruction of GRE tunnels, etc.

A briefing from the U.K.-based National Cyber Security Centre (NCSC) recommends that you check your network for any devices running unencrypted management protocols such as:

• Telnet
• Hypertext Transport Protocol (HTTP, port 80)
• Simple Network Management Protocol (SNMP, ports 161/162)
• Cisco Smart Install (SMI port 4786)

If these services are in use, the NCSC recommends the following:

• Do not allow unencrypted (i.e., plaintext) management protocols (e.g., Telnet) to enter an organization from the internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organizsation should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
• Do not allow internet access to the management interface of any network device. The best practice is to block internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
• Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. The NCSC and Department of Homeland Security (DHS) strongly advise owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
• Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys.

Using network traffic analysis to detect Telnet activity

As previously mentioned, Telnet normally runs over TCP port 23. However, you can configure Telnet to run over any port, so you cannot solely watch out for network traffic running on TCP port 23. You must be able to monitor all traffic and pick out the Telnet traffic by using some form of application detection.

A network traffic analysis tool should be able to detect Telnet traffic if it has access to packet payloads, which can be used for application identification. Flow-based tools alone are not suitable for detecting Telnet activity because they are not application aware.

If you want to get continuous monitoring in place, then you need to look at setting up a data source such as a SPAN, mirror port, or network TAP. Once you have a data source, then you need a network traffic analysis solution with an application recognition engine, which can report on any Telnet activity no matter which port it is running over.

Typically, you monitor network traffic at your network core where a lot of the most interesting traffic passes through. You then apply a filter so that you only show Telnet traffic. With a solution like InsightIDR, this can then be saved as a custom report if you want to add it to a dashboard or get an alert if Telnet activity is detected on your network.