1. Ports
  2. Port 11

Port 11: SYSTAT (Active Users) — The Internet Learned to See Who Was Home

Every network begins with a question: who is here?

Port 11 answers it. The Active Users protocol, commonly called SYSTAT, does one thing. You connect. The machine responds with a list of every user currently logged in. Then it closes the connection. No authentication. No encryption. No negotiation. Just a plaintext answer to a plaintext question.

In 1983, this was a useful debugging tool. Today, it is an open invitation to anyone scanning your network.

What Port 11 Does

Port 11 runs the Active Users service, defined in RFC 866.1 The protocol operates on both TCP and UDP.

Over TCP, a client connects to port 11. The server immediately sends a list of currently active users, ignores any data sent by the client, and closes the connection. The entire exchange takes a fraction of a second.

Over UDP, the server listens for incoming datagrams on port 11. When one arrives (the contents are ignored), the server responds with a datagram containing the active user list. If the list is too long for a single datagram, the server splits it across multiple packets, keeping each user's entry intact. The packets may arrive out of order. The client waits for a timeout, then assembles what it received.

There is no defined syntax for the output. The RFC recommends ASCII printable characters, spaces, carriage returns, and line feeds. Each user on a separate line. That is the entire specification.

How It Works

On Unix systems, SYSTAT was typically implemented through inetd, the Internet super-daemon that listened on multiple ports and launched the appropriate service when a connection arrived. The /etc/inetd.conf file would map port 11 to a command like /bin/who or /bin/ps -ef, piping the output directly to the connected client.2

This means what you received when you connected to port 11 depended on how the system administrator configured it. Some implementations returned the output of the who command: usernames, terminal lines, login times. Others returned the full output of ps -ef: every running process, its owner, its PID, its command line arguments.

The who command itself is one of the oldest Unix utilities, present since at least Unix 2nd Edition around 1972.3 It reads from the utmp file, which tracks currently logged-in users. When SYSTAT exposed this information over the network, it was extending a local administrative tool to anyone who could reach port 11.

The History

RFC 866 was authored by Jon Postel and published on May 1, 1983.1 It carries the designation STD 24. But it did not arrive alone.

On that same day, Postel published six companion RFCs, each defining a simple Internet service:

RFCPortServicePurpose
8627EchoReturns whatever you send it
8639DiscardAccepts and silently drops data
86419Character GeneratorSends an endless stream of characters
86517Quote of the DayReturns a quote
86611Active UsersLists who is logged in
86713DaytimeReturns the current date and time

These seven RFCs represent something remarkable: Postel was building the Internet's diagnostic toolkit.4 January 1, 1983 had just brought the ARPANET's transition to TCP/IP. The network needed simple, reliable services that administrators could use to verify that packets were flowing, that connections were forming, that the new protocol stack actually worked. Each of these services was described as "a useful debugging and measurement tool."

Postel was not inventing these concepts from scratch. The ARPANET had already developed scattered tools for querying user and system information. The 1978 ARPANET Resource Handbook, coordinated by Elizabeth "Jake" Feinler, documented services like FINGER, NETSTAT, and SYSTAT as programs that retrieved user or system information across the network.5 Each worked slightly differently depending on which system you were connected to. Postel's RFC 866 formalized one of these into a standard, giving every host on the Internet a common way to answer the question: who is here?

Jon Postel himself was the RFC Editor from the system's creation in 1969 until his death in 1998. He authored or co-authored the specifications for TCP, IP, SMTP, and DNS. He ran the Internet Assigned Numbers Authority (IANA) from his desk at the University of Southern California's Information Sciences Institute. Vint Cerf's memorial RFC 2468, titled "I Remember IANA," captures what Postel meant to the Internet's infrastructure.6 Port 11 is a small piece of his enormous legacy, but it reflects his philosophy: simple tools, clearly specified, freely available.

Security Considerations

Port 11 is a textbook example of how trust becomes vulnerability.

The Active Users service requires no authentication. Anyone who can reach port 11 receives the same information a system administrator would see. Depending on the implementation, this can include:

  • Usernames of every person logged into the system
  • Login times and terminal identifiers
  • Originating hosts showing where users connected from
  • Running processes, their PIDs, and full command-line arguments (when configured with ps -ef)

For an attacker performing reconnaissance, this is a gift. Usernames feed brute-force attacks against SSH and other login services. Process lists reveal which software is running, which versions are installed, and what services might be vulnerable. Login origins expose the network topology.7

Every security guideline written in the last three decades says the same thing: disable SYSTAT. Block port 11 at the firewall. Do not run this service.2 Modern operating systems do not enable it by default. The CIS benchmarks, NIST guidelines, and every penetration testing methodology flag an open port 11 as an information disclosure vulnerability.

The protocol has no mechanism for access control because it was never designed to need one. In 1983, the Internet was a community of researchers who wanted to know who was online. The question was collegial. The answer was freely given. Port 11 still gives the same answer with the same openness. The only thing that changed is who is asking.

Related Ports

Port 11 belongs to a family of simple diagnostic services from the same era:

  • Port 7 (Echo) — Returns whatever you send, used to test round-trip connectivity
  • Port 9 (Discard) — Accepts data and throws it away, used to test send capability
  • Port 13 (Daytime) — Returns the current date and time in human-readable format
  • Port 15 (Netstat) — Similar to SYSTAT, returns network status information (often netstat -a output)
  • Port 17 (QOTD) — Returns a quote of the day
  • Port 19 (Chargen) — Sends an endless stream of characters for testing
  • Port 79 (Finger) — Returns detailed information about specific users

All of these services share the same DNA: they are remnants of an Internet that assumed good faith. Most have been disabled on production systems for decades.

Frequently Asked Questions

Previous

Port 10: Unassigned — A Gap in the Original Numbering

Next

Port 12: Unassigned — The Empty Chair

Was this page helpful?

😔
🤨
😃