Plain TCP checks are still easier with Telnet when you need to see whether a remote service even answers. You can install Telnet on Debian from the default repositories for that client-side testing, and the legacy server package is still available too, but Debian 13 and 12 need one extra inetd fix before port 23 actually starts listening.
Telnet sends usernames, passwords, and session data in plain text. Keep it on trusted networks for diagnostics or legacy systems, and use install SSH on Debian for routine remote administration.
Install Telnet on Debian
Start with a package index refresh so APT sees the current Debian package set before you install the client or the legacy server components.
sudo apt update && sudo apt upgradeThese commands use
sudofor package management and service changes. If your account does not have sudo access yet, follow the guide to add a user to sudoers on Debian first.
The package choice is simple once you separate client-side testing from a legacy inbound Telnet service.
| Goal | Packages | Debian 13 and 12 | Debian 11 |
|---|---|---|---|
| Client only | telnet | The transitional telnet package pulls inetutils-telnet. | telnet installs the netkit client directly. |
| Client and server | telnet telnetd | Adds inetutils-telnetd and inetutils-inetd, but port 23 still needs one manual enablement step. | Adds telnetd and openbsd-inetd, and Bullseye starts listening on port 23 right after install. |
Install the Telnet client on Debian with sudo apt install telnet. If your shell says telnet: command not found, that is the package you need. Add telnetd only when this Debian machine must accept incoming Telnet sessions.
Install the Telnet Client on Debian
Use the client-only package when you want outbound tests such as SMTP, HTTP, SSH, or a legacy Telnet login on another host.
sudo apt install telnetAfter the install finishes, confirm that APT marked the client package as installed:
apt-cache policy telnettelnet:
Installed: 0.17+2.x
Candidate: 0.17+2.x
Version table:
*** 0.17+2.x 500
500 http://deb.debian.org/debian [release]/main amd64 Packages
100 /var/lib/dpkg/status
On Debian 13 and 12, the installed client comes from GNU inetutils, so telnet --version returns a normal version banner. Debian 11 uses the older netkit client, and that build does not support --version.
telnet --versiontelnet (GNU inetutils) 2.x
The exact version and Debian release name differ between Trixie, Bookworm, and Bullseye, but the package mapping stays the same within each release family.
On Bullseye, the same command prints an invalid-option message because the netkit client lacks a version flag. That difference looks odd, but the client still works normally for outbound connection tests.
Install the Telnet Server on Debian
Install the server package only when this Debian system must accept incoming Telnet logins from another machine on a trusted network.
sudo apt install telnet telnetdDebian 13 and 12 map telnetd to inetutils-telnetd and install inetutils-inetd. Debian 11 instead uses openbsd-inetd. That package split is why the next enablement step differs by release.
Enable the Telnet Service on Debian 13 and 12
On Debian 13 and 12, inetutils-inetd.service stays inactive until it sees an enabled entry that starts at column 1 in /etc/inetd.conf. The packaged Telnet line keeps a leading space, so remove that space once and restart the service.
sudo sed -i 's/^ telnet/telnet/' /etc/inetd.conf
sudo systemctl restart inetutils-inetd.serviceDebian 11 does not need that edit. Bullseye installs openbsd-inetd, enables the Telnet entry automatically, and starts listening on port 23 as soon as telnetd finishes installing.
Verify the Telnet Service on Debian
Use the service name that matches your release, then confirm that TCP port 23 is actually listening.
On Debian 13 and 12, check inetutils-inetd.service after the line fix:
systemctl status --no-pager inetutils-inetd.service | sed -n '1,8p'● inetutils-inetd.service - Inetutils Inetd
Loaded: loaded (/usr/lib/systemd/system/inetutils-inetd.service; enabled; preset: enabled)
Active: active (running)
ss -tlnp | grep ':23'LISTEN 0 ... 0.0.0.0:23 0.0.0.0:*
On Debian 11, the service to inspect is openbsd-inetd.service:
systemctl status --no-pager openbsd-inetd.service | sed -n '1,8p'● openbsd-inetd.service - OpenBSD Internet Superserver
Loaded: loaded (/lib/systemd/system/openbsd-inetd.service; enabled; vendor preset: enabled)
Active: active (running)
Test Telnet Connections on Debian
With the client installed, you can test local listeners, reach remote legacy hosts, and confirm whether a TCP port is reachable from this Debian system.
Test a Local Telnet Connection on Debian
Start with the local service if you installed telnetd on this machine:
telnet localhost 23Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
A quick IPv6 refusal followed by an IPv4 success is normal when the Telnet listener is bound only on IPv4. To disconnect, press Ctrl+], type quit, and press Enter.
Connect to a Remote Telnet Server from Debian
To open a Telnet session to another host, provide its IP address or hostname and the destination port. The default Telnet port is 23.
telnet 192.168.1.100 23If the connection fails, verify that the remote host is running a Telnet service, that its firewall allows TCP port 23, and that you are targeting the right address.
Test Service Ports with the Telnet Client on Debian
You can also use the Telnet client as a quick TCP reachability test for other services.
# Test HTTP on port 80
telnet example.com 80
# Test SMTP on port 25
telnet mail.example.com 25
# Test SSH on port 22
telnet 192.168.1.100 22When the port is reachable, the client prints Connected to. If the port is closed or filtered, you will see Connection refused or a timeout instead.
An HTTP test is a good example because you can send a plain request after the TCP session opens.
telnet example.com 80Trying 93.184.216.34... Connected to example.com. Escape character is '^]'.
After the TCP session opens, type a minimal HTTP request so you can see whether the server answers with real headers and content.
GET / HTTP/1.1
Host: example.com
Connection: closePress Enter twice after the request headers. The server should answer with HTTP headers and the page body, which confirms that the web service is reachable and responding.
Once the TCP session is open, you can either interact with the remote service directly or drop back to the local Telnet prompt for connection controls.
Access the Telnet Prompt on Debian
Press Ctrl+] at any time to leave the remote session and open the local telnet> prompt.
Run Common Telnet Commands on Debian
The local Telnet prompt accepts a small set of control commands.
display
toggle localchars
send brk
quitdisplay shows the current session settings, toggle localchars changes local echo handling, send brk sends a break signal, and quit closes the client.
Close a Telnet Session on Debian
Exit the remote shell with exit or logout, or return to the Telnet prompt and close the session there.
quittelnet> quit Connection closed.
Use close when you need to disconnect from the current host but keep the Telnet client open for another connection.
Restrict Telnet Access on Debian with UFW
Because Telnet has no transport encryption, keep it behind network boundaries and allow only the addresses that still need it.
Install UFW on Debian
UFW is not installed by default on the validated Debian hosts, so add it first if you want a simpler firewall front end.
sudo apt install ufwIf you are managing this system over SSH, allow SSH before you enable UFW or you can lock yourself out. The broader workflow is covered in install and configure UFW on Debian.
sudo ufw allow sshThen enable the firewall:
sudo ufw enableFirewall is active and enabled on system startup
Allow Telnet from Specific Addresses on Debian
Do not open port 23 to every source unless you have a hard requirement to do so.
Allow one trusted host:
sudo ufw allow from 192.168.1.10 to any port 23Allow an internal subnet:
sudo ufw allow from 192.168.1.0/24 to any port 23Verify Telnet Firewall Rules on Debian
Review the rules after you add them so you can confirm that SSH and Telnet are both present.
sudo ufw status numberedStatus: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 23 ALLOW IN 192.168.1.10
[ 3] 23 ALLOW IN 192.168.1.0/24
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
Remove a Telnet Firewall Rule on Debian
When you no longer need one of the Telnet rules, delete it by the numbered entry shown in your own status output. Replace 3 in the example below with the Telnet rule number on your system.
sudo ufw delete 3Deleting: allow from 192.168.1.0/24 to any port 23 Proceed with operation (y|n)? y Rule deleted
Troubleshoot Telnet Connection Issues on Debian
Most Telnet failures come down to a disabled listener, a blocked firewall rule, or a host that is reachable on the network but not accepting connections on the requested port.
Fix “Connection Refused” Errors with Telnet on Debian
A refused connection means the remote host answered your TCP request, but nothing was listening on that port.
Trying 192.168.1.100... telnet: Unable to connect to remote host: Connection refused
On Debian 13 and 12, the most common cause is that inetutils-inetd never saw an active Telnet entry after package installation.
systemctl status --no-pager inetutils-inetd.service | sed -n '1,8p'
sudo sed -i 's/^ telnet/telnet/' /etc/inetd.conf
sudo systemctl restart inetutils-inetd.service
ss -tlnp | grep ':23'If you are troubleshooting Debian 11 instead, swap the service command to openbsd-inetd.service. Bullseye should already have the Telnet line enabled.
Fix Telnet Timeouts on Debian
A timeout usually points to a network path problem or a firewall that is dropping packets before the remote host can answer.
ping -c 4 192.168.1.100If the host answers ping, check whether your firewall rules actually allow inbound Telnet traffic.
sudo ufw status numbered | grep 23[ 2] 23 ALLOW IN 192.168.1.10
Review Telnet Service Logs on Debian
The journal is the fastest way to catch syntax mistakes in /etc/inetd.conf or failed service restarts.
On Debian 13 and 12:
journalctl -xeu inetutils-inetd.serviceOn Debian 11:
journalctl -xeu openbsd-inetd.serviceLook for configuration syntax errors, missing helper binaries, or another service already occupying port 23.
Remove Telnet from Debian
When you no longer need the client or the server, remove the packages and then verify that the command and listener are both gone.
Remove Telnet Packages on Debian
APT can remove the dummy packages and the server-side dependencies in one pass.
sudo apt remove --autoremove telnet telnetdOn Debian 13 and 12, the validated removal also cleaned up inetutils-telnet, inetutils-telnetd, inetutils-inetd, and tcpd. On Debian 11, the same command removed telnetd, openbsd-inetd, and tcpd alongside the client package.
Remove Telnet Firewall Rules on Debian
If you added UFW rules for port 23, remove those too so the firewall stays readable.
sudo ufw status numberedThen delete the Telnet rule number or numbers you no longer need. Replace 2 in the example below with the matching rule number from your own firewall output.
sudo ufw delete 2Verify Telnet Removal on Debian
Confirm that both packages report as uninstalled and that the client binary is gone from your path.
apt-cache policy telnet telnetd
command -v telnet || echo "telnet removed"telnet: Installed: (none) telnetd: Installed: (none) telnet removed
Telnet on Debian FAQ
These questions cover the release-specific package split and the listener behavior that usually causes confusion after the first install.
Yes. Debian 13, 12, and 11 all ship the Telnet client in the default APT repositories. On Debian 13 and 12, the telnet package pulls inetutils-telnet, while Debian 11 installs the netkit client directly.
No. The telnet client is enough for outbound tests such as checking whether port 25 or 80 answers on another host. Install telnetd only when this Debian machine must accept incoming Telnet sessions on port 23.
On Debian 13 and 12, telnetd installs inetutils-inetd, but the packaged Telnet entry can still leave the unit’s start condition unmet. Remove the leading space from the active telnet line in /etc/inetd.conf, restart inetutils-inetd, and verify the listener with ss -tlnp | grep ':23'.
Bullseye ships the older netkit client, and that implementation does not support --version. Use apt-cache policy telnet to confirm the package version, or just run telnet host port to test connectivity.
Conclusion
Telnet is installed on Debian for quick TCP checks or the occasional legacy login, but the server side needs extra care on current releases. Keep it behind trusted network boundaries, narrow access with install and configure UFW on Debian, and leave day-to-day remote administration to install SSH on Debian.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>