Telnet Port 23

I’ve disabled Telnet in my router and created a global rule blocking all incoming & outgoing UDP and TCP traffic from any IP to any IP where source port is any and destination port is 23 but shields-up still shows port 23 to be open.

Have I got the configuration for the global rule right?

Should I worry about Telnet port 23 at all? Some sites say it can be used for dodgy purposes.

Sorry if I’m asking a lot of questions recently, I’m just having a few days trying to make sure all is safe and good with my Internet world… :slight_smile:

Indeed it would be appropriate to look in shields-up report and confirm the reason port 23 is opened on the internet.

It looks like SNMP (Simple Network Management Protocol) service might be another candidate

Did you search for your router brand/model on the Internet to see if anybody had this issue?

You could also launch cmd.exe with admin privileges and run netstat -anob ( To create a file with the results you can use netstat -anob > C:\result.txt)

That command will take a while but can list what processes are engaged in networking activities and list what port are being listened.

I searched a lot of sites regarding Telnet and port 23 and they all told me to close it in my router, which I did, and in my firewall, which I did. Shields-up offers no more information on the matter, I did do my research before taking up anyone’s time here.

I ran netstat -an as suggested on one of the sites and the relevant listing of (I think…) was not present so I thought that meant it must be the router which has it open so closed it there but it still shows up as open. What extra does the ob in -anob do?

You say SNMP could be the reason. I did notice when I was turning off Telnet in the router that SNMP was enabled but presumed it was necessary for normal communications. Would turning it off solve the problem but still allow normal Internet activity?

Thanks for your help Endymion.

Hi Barns,

Port 23 TCP and UDP is Telnet. If you’re using Windows XP make sure the Telnet service is disabled In services.msc.

The correct netstat command would be:

netstat -o -n -a | findstr 0.0:23

-a Displays all connections and listening ports.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.

Edit: I was just thinking, you could also try telneting on to the port. Open a command prompt and type:

telnet 23

see if you can connect.

“telnet is not recognized as an internal or external command, operable program or batch file” it says in the DOS window. I’m on Windows 7 not XP.

There doesn’t seem to be any reference to port 23 in the listing from netstat -o -n -a and I’m not quite sure what you mean by your vertical line between netstat -o -n -a and findstr. Do you mean new command or is it part of the same command?

Do I need SNMP or would turning it off in the router close the port?

On Windows 7 the Telnet service is not installed by default, which would account for the message you received.

To run the command, just copy and past it into a command window, it’s all one line. I’m not sure where the ‘bar’ will be on your keyboard, on mine it’s bottom left.

SNMP uses TCP and UDP port 161 and unless you have a specific need to query networked MIBs (Management Information Base) and the appropriate software to perform said queries, you don’t need it.

I copied and pasted the command and it just went back to the C: prompt. I presume that means that the 0.0:23 string wasn’t found?

I also disabled SNMP in the router but Shields-up still says ports 23 (Telnet) and 80 are open. The latter has to always be open for http/Internet doesn’t it?

Seems there’s no way to close port 23. Does it really matter? Can people still exploit Telnet for malicious purposes?

I copied and pasted the command and it just went back to the C: prompt. I presume that means that the 0.0:23 string wasn't found?

That’s correct. There has to be a listening process for anything to be reported.

I also disabled SNMP in the router but Shields-up still says ports 23 (Telnet) and 80 are open. The latter has to always be open for http/Internet doesn't it?

As I mentioned earlier, SNMP uses port 161. The only reason port 80 would be open is if you were running a web server. If this is not the case it should be stealthed or closed at the very least.

As Ronny is explaining in your other thread, stateful firewalls maintain connection tables that identify and allows legitimate traffic and drops everything else. That basically means that ports don’t have to be help open for applications like browsers.

Seems there's no way to close port 23. Does it really matter? Can people still exploit Telnet for malicious purposes?

Unfortunately, there are known exploits for this port, see here:[vuln_title]=microsoft+telnet&search[text_type]=alltext

You also have to understand, that just because IANA have reserved port 23 for Telnet, doesn’t mean that some other server service has not been configured to use that port. Virtually any server service can be configured to use virtually any port.

One question I should have asked earlier is, have you run the Stealth Port Wizard from within the Common Tasks of the Firewall? It’s of less importance as the problem appears to be with your router and you’ll have to bypass the router to check the port settings at shields-up.

It could be that your router keep those ports open even if you disable them but since that would be something unusual maybe searching for your brand/model will provide some clues and a specific solution if this is the case. Not all router behave that way and maybe there was a firmware update to fix that (or a reason to complain if it not available despite the router keep those ports open on the internet despite disabled)

There is usually a risk involved in having a service exposed to the internet (WAN) in some cases vulnerabilities are exploited even to to infect specific routers alone.

In case of Dlink routers it looks like there were probes on port 23 to exploit SNMP service.

Some other router which did not properly secure the accesible URLs made possible to bypass authentication and get the password for wireless access.

Even if the router is the reason those port are open there is a risk whereas the nature and severity is related to its brand/model

It’s a TP-LINK TD-8840 non-wireless straight-up ADSL router. I have done specific web searches for that particular model and come up with very little, that’s why I came here. I work and live in a backwater place and most of the stuff I buy here (by model number) doesn’t appear to exist according to the manufacturers’ main websites so…

The TD-8840 does, according to the manufacturer’s main website, but the picture they have looks completely different to what’s in front of me…!

Ports 23 and 80 are always open according to Shields-up. I’m not running a web server, I’m just an ordinary joe using the Internet for normal purposes.

As a result, should I add rules to the router and firewall to block port 80? I thought all web traffic used port 80 so it had to be kept open?

Yes, I’ve run the stealth ports wizard and every other port up to 1056 (as far as Shields-up goes) is either stealthed or closed.

I’ll check out endymion’s and your links and see if I can sort it.

Thanks to all of you for your help.

Apparently there is no vulnerability listed for tp link or TD-8840 anywhere.

I guess you mean this picture which, despite is claimed to apply to your router as well, is different from the one found in its manual which lacks the WAN column.

It looks like the manual is recent since it was based on a 28/03/09 version whenever the latest firmware version was released on 4/15/2009 and support only the second version of TD-8840.

Indeed disabling Telnet and HTTP (the router admin web interface) services on the WAN should close those ports on the internet side.

I guess it could be possible to assign a specific LAN IP to your PC and enable Access contol to allow access only from your PC.

Using Advanced Setup→LAN → Set Address Reservation button it would be possible to assign a specific IP to your PC.
Using Access Control→IP Address it would be possible to add that IP to the allowed list and enable Access control

Just for caution please check under Advanced Setup → NAT → Virtual Servers if there is some rule pertaining port 80 or 23 or if DMZ Host is enabled (it shouldn’t be)

No, I was referring to the image of the unit itself. Mine is dark greyish with the lights in completely different places, but the manufacturer’s website gives a gleaming white unit with the lights etc in completely different places. lol

I wanted to upgrade the firmware but, as you so rightly point out, all the latest firmware says that it’s only for V.2 whereas my lil’ unit say V1.3 on the back so I don’t want to go playing with it if it may fuck up my basic internet access. Should I try upgrading the firmware anyway you reck?

Indeed a new version might change the underlying hardware so it is better to not upgrade since the other version is not supported this might break/brick the router.

I hope that the admin interface looks the same as I found also a TD-8840T which got a totally different one according to its manual.

RE: Your earlier question.

No, there are no rules at all under Advanced Setup-Nat-Virtual servers.

DMZ Host is not enabled.

I’d already downloaded the manual and it’s worse than useless tbh.

Thanks for your patience Endymion.

You’re welcome.

Indeed the manual don’t mention port forwarding and I found out its existence only on on another site, then TP-link site got a picture of the page used to disable services and it is different from the one provided in the manual.

The picture provided in the manual is without the WAN (internet) column thus it looks it is only possible to disable those services on the LAN (eg disabling HTTP on the lan will prevent to access the router admin interface using the browser).

Is there really only a LAN column? ???

[attachment deleted by admin]

Mine’s got a WAN colum, see attached.

Is that set up properly? I disabled Telnet and SNMP myself as part of this ongoing process.

I also tried adding a rule in Comodo blocking port 80 and the Web immediately ceased to work. How can I block/stealth it and still access the Web etc?

[attachment deleted by admin]

If you are interested to test applications like Interface Traffic Indicator you could enable SNMP on your LAN at a later time.

The TFTP service on the LAN is often used for emergency recovery/maintenance of the router, on other models is often automatically activated only during the router bootup.
Since it is unclear if disabling TFTP on the LAN will disable that a well I guess you could leave it to the default.

You could disable the ICMP on the WAN column and test shieldsup again. On other routers that service may affect negatively shieldsup results.

Does disabling telnet on both WAN and LAN stealth port 2523 on shiledsup?
Disabling HTTP on the WAN should have stealthed port 80 as well but it is not possible to disable HTTP on the LAN as this will prevent you to access the router admin web interface.

If the router keep its HTTP/port 80 service active on the WAN no Comodo rule could affect that, though the router should at least deny any access from the internet.

The router itself act as a middleman and could be considered equivalent to a separate PC.
You could configure the firewall to block what your PC send to the router or what the router send to your PC but not what somebody else send to the router alone nor what the router will listen from somebody else.

BTW I guess you could Disable and Turn Off IPv6 Support in Vista as well.

If you wish to follow Endymions good advice about disabling IPv6, you can see my post, for alternative methods and a little background:

Re: Windows Vista NOT completely safe with CIS (IPv6).

I turned TFTP off then since I doubt I’ll need to do any emergency recovery and turned off the ICMP WAN bit too, but Shileds-up still says ports 23 and 80 are open.

Telnet is disabled on both LAN and WAN as in my screenshot but port 23 still shows up as open.

I’m using Windows 7 not Vista, although they do seem to work on the same kernel/core or whatever since all Vista software seems to work fine on 7.

So even disabling telnet on both LAN and WAN didn’t change shieldsup result. :-\

I guess the services are left active but will ignore the requests from the internet.

In case those services were running on your PC it would have been possible to use global rules to block incoming connections

Adding those two rules to the topmost part of Global Rules will deny any connection attempt to port 25 and 80:

BLOCK and LOG TCP IN From IP any Source Port ANY to IP ANY Destination port 80
BLOCK and LOG TCP IN From IP any Source Port ANY to IP ANY Destination port 23 25

Also attempting a shieldsup scan would have those rules log the connection attempt in Firewall Tasks > Common Tasks > View Firewall Events

Sorry it was my mistake, Quill’s tutorial apply to Win7 as well.