Plain TCP checks are still easier with Telnet when you need to see whether a remote service even answers. You can install Telnet on Debian from the default repositories for that client-side testing, and the legacy server package is still available too, but Debian 13 and 12 need one extra inetd enablement step before port 23 actually starts listening.
Telnet sends usernames, passwords, and session data in plain text. Keep it on trusted networks for diagnostics or legacy systems, and use install SSH on Debian for routine remote administration.
Install Telnet on Debian
Refresh the package index so APT sees the current Debian package set before you install the client or the legacy server components.
sudo apt updateThe install and service commands use
sudofor package management and privileged changes. If your account does not have sudo access yet, follow the guide to add a user to sudoers on Debian first.
The package choice is simple once you separate client-side testing from a legacy inbound Telnet service.
| Goal | Packages | Debian 13 and 12 | Debian 11 |
|---|---|---|---|
| Client only | telnet | The transitional telnet package pulls inetutils-telnet. | telnet installs the netkit client directly. |
| Client and server | telnet telnetd | Adds inetutils-telnetd and inetutils-inetd, but the packaged Telnet entry must be enabled with update-inetd. | Adds telnetd and openbsd-inetd, and Bullseye starts listening on port 23 right after install. |
Install the Telnet client on Debian with sudo apt install telnet. If your shell says telnet: command not found, that is the package you need. Add telnetd only when this Debian machine must accept incoming Telnet sessions.
Install the Telnet Client on Debian
Use the client-only package when you want outbound tests such as SMTP, HTTP, SSH, or a legacy Telnet login on another host.
sudo apt install telnetOlder runbooks may use sudo apt-get install telnet. That form reaches the same Debian package, but apt is shorter for an interactive install.
After the install finishes, confirm that APT marked the client package as installed. Relevant lines from Debian 13 look like this:
apt-cache policy telnettelnet:
Installed: 0.17+2.6-3+deb13u3
Candidate: 0.17+2.6-3+deb13u3
Version table:
*** 0.17+2.6-3+deb13u3 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
100 /var/lib/dpkg/status
On Debian 13 and 12, the installed client comes from GNU inetutils, so telnet --version returns a normal version banner. Debian 11 uses the older netkit client, and that build does not support --version.
telnet --versiontelnet (GNU inetutils) 2.6
The exact version differs by release. Debian 13 and 12 return a GNU inetutils version banner, while Debian 11 stays on the older netkit client package.
On Bullseye, the same command prints an invalid-option message because the netkit client lacks a version flag. That difference looks odd, but the client still works normally for outbound connection tests.
Install the Telnet Server on Debian
Install the server package only when this Debian system must accept incoming Telnet logins from another machine on a trusted network.
sudo apt install telnet telnetdDebian 13 (Trixie) and Debian 12 (Bookworm) map telnetd to inetutils-telnetd and install inetutils-inetd. Debian 11 (Bullseye) instead uses openbsd-inetd. That package split is why the next enablement step differs by release.
Enable the Telnet Service on Debian 13 and 12
On Debian 13 and 12, inetutils-inetd.service stays inactive until the Telnet entry is enabled in /etc/inetd.conf. The packaged line starts as #<off># telnet, so enable it with update-inetd and restart the service.
sudo update-inetd --enable telnet
sudo systemctl restart inetutils-inetd.serviceDebian 11 does not need that edit. Bullseye installs openbsd-inetd, enables the Telnet entry automatically, and starts listening on port 23 as soon as telnetd finishes installing.
Verify the Telnet Service on Debian
Use the service name that matches your release, then confirm that TCP port 23 is actually listening.
On Debian 13 and 12, check inetutils-inetd.service after enabling the Telnet entry:
systemctl is-active inetutils-inetd.serviceactive
On Debian 11, the package is openbsd-inetd, but the service unit to inspect is inetd.service:
systemctl is-active inetd.serviceactive
Then confirm the listener on any release:
sudo ss -H -tln 'sport = :23'LISTEN 0 10 0.0.0.0:23 0.0.0.0:*
The backlog number can differ by release. The important parts are the LISTEN state and 0.0.0.0:23 address.
Test Telnet Connections on Debian
With the client installed, you can test local listeners, reach remote legacy hosts, and confirm whether a TCP port is reachable from this Debian system.
Test a Local Telnet Connection on Debian
Start with the local service if you installed telnetd on this machine:
telnet 127.0.0.1 23Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
Using 127.0.0.1 avoids IPv6 loopback confusion when the inetd listener is bound only on IPv4. To disconnect, press Ctrl+], type quit, and press Enter.
Connect to a Remote Telnet Server from Debian
To open a Telnet session to another host, provide its IP address or hostname and the destination port. The default Telnet port is 23.
telnet 192.168.1.100 23If the connection fails, verify that the remote host is running a Telnet service, that its firewall allows TCP port 23, and that you are targeting the right address.
Test Service Ports with the Telnet Client on Debian
You can also use the Telnet client as a quick TCP reachability test for other services.
Replace the sample hosts with the service address you need to test.
# Test HTTP on port 80
telnet example.com 80
# Test SMTP on port 25
telnet mail.example.com 25
# Test SSH on port 22
telnet 192.168.1.100 22When the port is reachable, the client prints Connected to. If the port is closed or filtered, you will see Connection refused or a timeout instead.
An HTTP test is a good example because you can send a plain request after the TCP session opens.
telnet example.com 80Relevant output includes the connection line and escape-character prompt:
Connected to example.com. Escape character is '^]'.
After the TCP session opens, type a minimal HTTP request so you can see whether the server answers with real headers and content.
GET / HTTP/1.1
Host: example.com
Connection: closePress Enter twice after the request headers. The server should answer with HTTP headers and the page body, which confirms that the web service is reachable and responding.
Navigate the Telnet Interface on Debian
Once the TCP session is open, you can either interact with the remote service directly or drop back to the local Telnet prompt for connection controls.
Access the Telnet Prompt on Debian
Press Ctrl+] at any time to leave the remote session and open the local telnet> prompt.
Run Common Telnet Commands on Debian
The local Telnet prompt accepts a small set of control commands.
display
toggle localchars
send brk
quitdisplay shows the current session settings, toggle localchars changes local echo handling, send brk sends a break signal, and quit closes the client.
Close a Telnet Session on Debian
Exit the remote shell with exit or logout, or return to the Telnet prompt and close the session there.
quittelnet> quit Connection closed.
Use close when you need to disconnect from the current host but keep the Telnet client open for another connection.
Restrict Telnet Access on Debian with UFW
Because Telnet has no transport encryption, keep it behind network boundaries and allow only the addresses that still need it.
Install UFW on Debian
UFW is not part of every Debian installation, so add it first if you want a simpler firewall front end.
sudo apt install ufwIf you are managing this system over SSH, allow SSH before you enable UFW or you can lock yourself out. The broader workflow is covered in install and configure UFW on Debian. If SSH listens on a custom port, allow that TCP port instead.
sudo ufw allow 22/tcpAfter SSH is allowed, enable UFW. The --force flag skips the confirmation prompt, so use it only after the SSH rule is present.
sudo ufw --force enableFirewall is active and enabled on system startup
Allow Telnet from Specific Addresses on Debian
Do not open port 23 to every source unless you have a hard requirement to do so.
Allow one trusted host:
sudo ufw allow from 192.168.1.10 to any port 23 proto tcpAllow an internal subnet:
sudo ufw allow from 192.168.1.0/24 to any port 23 proto tcpVerify Telnet Firewall Rules on Debian
Review the rules after you add them so you can confirm that SSH and Telnet are both present.
sudo ufw status numberedStatus: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 23/tcp ALLOW IN 192.168.1.10
[ 3] 23/tcp ALLOW IN 192.168.1.0/24
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
Remove a Telnet Firewall Rule on Debian
When you no longer need one of the Telnet rules, delete it by the numbered entry shown in your own status output. Replace 3 with the Telnet rule number on your system.
sudo ufw --force delete 3Rule deleted
Troubleshoot Telnet Connection Issues on Debian
Most Telnet failures come down to a disabled listener, a blocked firewall rule, or a host that is reachable on the network but not accepting connections on the requested port.
Fix “Connection Refused” Errors with Telnet on Debian
A refused connection means the remote host answered your TCP request, but nothing was listening on that port.
telnet 192.168.1.100 23Trying 192.168.1.100... telnet: Unable to connect to remote host: Connection refused
On Debian 13 and 12, the most common cause is that inetutils-inetd never saw an active Telnet entry after package installation.
systemctl is-active inetutils-inetd.service
sudo update-inetd --enable telnet
sudo systemctl restart inetutils-inetd.service
sudo ss -H -tln 'sport = :23'If you are troubleshooting Debian 11 instead, check inetd.service. Bullseye should already have the Telnet line enabled.
Fix Telnet Timeouts on Debian
A timeout usually points to a network path problem or a firewall that is dropping packets before the remote host can answer.
ping -c 4 192.168.1.100If the host answers ping, check whether your firewall rules actually allow inbound Telnet traffic.
sudo ufw status numbered | grep 23[ 2] 23/tcp ALLOW IN 192.168.1.10
Review Telnet Service Logs on Debian
The journal is the fastest way to catch failed enablement, syntax mistakes in /etc/inetd.conf, or failed service restarts.
On Debian 13 and 12:
sudo journalctl -xeu inetutils-inetd.serviceOn Debian 11:
sudo journalctl -xeu inetd.serviceLook for configuration syntax errors, missing helper binaries, or another service already occupying port 23.
Update Telnet on Debian
Debian provides Telnet client and server updates through APT. Use the package names you installed so APT does not pull in the optional server package by accident.
For a client-only install:
sudo apt update
sudo apt install --only-upgrade telnetFor a client and server install:
sudo apt update
sudo apt install --only-upgrade telnet telnetdRemove Telnet from Debian
When you no longer need the client or the server, remove the packages and then verify that the command and listener are both gone.
Remove Telnet Packages on Debian
Use the removal command that matches what you installed. Review APT’s package list before confirming, especially on systems where Telnet or inetd packages existed before you followed this workflow.
For a client-only install:
sudo apt remove --autoremove telnetFor a client and server install:
sudo apt remove --autoremove telnet telnetdOn Debian 13 and 12, this command removes telnet and telnetd, then can autoremove inetutils-telnetd, inetutils-inetd, and tcpd when they are no longer needed. Debian 11 removes telnetd, openbsd-inetd, and tcpd in the same client-and-server cleanup path.
If command -v telnet still prints a path on Debian 13 or 12 after removal, the real client package inetutils-telnet was already present or is still required by another package. Simulate that removal first and reject the transaction if APT plans to remove unrelated desktop, printing, or application packages.
apt-get -s remove --autoremove inetutils-telnetRemove Telnet Firewall Rules on Debian
If you added UFW rules for port 23, remove those too so the firewall stays readable.
sudo ufw status numberedThen delete the Telnet rule number or numbers you no longer need. Replace 2 with the matching rule number from your own firewall output.
sudo ufw --force delete 2Verify Telnet Removal on Debian
Confirm that the package names are not installed, then clear Bash’s command cache before checking whether the client binary is gone from your path.
dpkg -l telnet telnetd 2>/dev/null | grep '^ii' || echo "telnet package names removed"
hash -r
command -v telnet || echo "telnet command not found"When no package still owns the client command, relevant output looks like this:
telnet package names removed telnet command not found
Finally, check port 23 again. No output means the Telnet listener is gone.
sudo ss -H -tln 'sport = :23'Conclusion
Telnet is installed on Debian for quick TCP checks or the occasional legacy login, with the Debian 13 and 12 server path enabled through update-inetd. Keep it behind trusted network boundaries, narrow access with install and configure UFW on Debian, and leave day-to-day remote administration to install SSH on Debian.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>