Security risks involved with running Telnet client and server

Often administrators are reluctant to run Telnet on their computers. In fact, the Windows operating system does not enable Telnet on the machine by default. This article talks about the risks involved and some misconceptions related to Telnet.

Before going any further, it is important to understand the difference between a Telnet Client and Telnet Server.

Telnet Server vs Telnet Client

A telnet server was initially designed in 1969 to allow command line access to a remote computer. Once connected to the server, a remote user can run any command that would usually be available locally. For instance, a remote user could spawn/terminate processes, add, remove or modify files, and completely shut down a system.

On the other hand, a Telnet client is a simple TCP/IP client that can connect to ANY TCP/IP server. A common misconception is that a telnet client can only connect to a telnet server.

Security Risks Associated With Telnet Server

There are several security risks associated with a Telnet Server:

• Communication is not encrypted. Therefore, using it over an unsecured channel is risky.
• No provision exists for using public/private keys. Users are authenticated using passwords in the clear.
• It can be used to guess passwords. Writing a program that can guess passwords on a server is very easy.

Therefore, it is strongly recommended not to enable a Telnet Server on your machine.

Security Risks Associated With Telnet Client

Telnet client by itself does not pose any risks. In fact, a Telnet client is an excellent tool for debugging TCP/IP servers. Here are a couple of examples:

Example 1

The following command connects to an HTTP server to fetch the home page:

telnet www.microsoft.com 80

This command connects to Microsoft's HTTP server on port 80. You will see a blank screen once a connection is established, confirming the server is listening.

Example 2

The following command connects to Synametrics' SMTP server on port 25:

telnet mail.synametrics.com 25

When connecting to an SMTP server, you should see an SMTP banner from the server confirming its existence.

Both examples above show how to connect to any TCP/IP server using the Telnet Client. Once connected, you can optionally send further commands to that server. For example, you could send a full email to an SMTP server using Telnet.

Summary

Think of Telnet Server as the front door of your house and the client as a vehicle to get there. If you leave the front door open, any unauthorized individual could get in and ruin your house. On the other hand, a vehicle can be used for several purposes, and there is no harm in using it to visit other places.