1. Ports
  2. Port 98

Port 98: TAC News and Linuxconf — The Sysadmin's Browser Window

Port 98 is registered with IANA as tacnews, the TAC News service. But if you ran Red Hat Linux in the late 1990s, you knew port 98 for something else entirely: it was the port where Linuxconf listened, giving you root-level system administration through a web browser.

Two services, two eras, one port. Both are gone now.

TAC News: The Official Assignment

The "TAC" in TAC News stands for Terminal Access Controller, a piece of hardware that was fundamental to the early ARPANET and MILNET.1 TACs were terminal concentrators, devices that let users with dumb terminals dial in over phone lines and connect to hosts on the network. By 1980, Telenet alone had over 1,000 switching nodes fed by TAC concentrators.2

TAC News was a service for distributing information and updates related to these controllers. The protocol was registered on port 98 for both TCP and UDP. No RFC was ever published for TAC News specifically. It was a housekeeping service for military network infrastructure, not a protocol that needed formal standardization.

The Terminal Access Controllers themselves were the ancestors of the TACACS authentication protocol, which BBN Technologies formalized in 1984 and which eventually became the basis for TACACS+, still used today on Cisco equipment for network device authentication.3 But TAC News itself faded with the hardware it served.

Linuxconf: The Real Story of Port 98

In the mid-1990s, Jacques Gélinas of Solucorp in Canada built Linuxconf, a system administration tool for Linux.4 The idea was ambitious: one tool that could manage networking, user accounts, filesystems, boot configuration, and services. And it could do it through a text interface, an X Window GUI, or a web browser.

The web interface ran on port 98.

To use it, you pointed your browser at http://your-machine:98, and Linuxconf served you a web-based control panel with root-level access to the system.5 You could add users, configure network interfaces, manage services, set up DNS. Everything. From Netscape Navigator.

Red Hat Linux adopted Linuxconf starting with version 5.1 and shipped it as a core system tool.6 For a few years in the late 1990s, port 98 was where Linux sysadmins went to configure their servers without touching a terminal.

The choice of port 98 was informal. Gélinas needed a port, TAC News wasn't using its assignment, and nobody objected. The /etc/services files across Linux distributions quietly listed both:

tacnews    98/tcp    # TAC News
tacnews    98/udp    # TAC News

With a comment noting Linuxconf's presence on the same port.

The Security Problem

Linuxconf on port 98 had a fundamental design tension: it provided root-level system control through an HTTP interface. In 1999, a remote buffer overflow vulnerability was discovered in Linuxconf 1.1.6r10.7 An attacker could send excess data in the USER_AGENT HTTP header field, overflow the buffer, and execute arbitrary code as root.

Root access. Through a web browser. On a port that was supposed to be carrying news about 1980s military terminal hardware.

Red Hat deprecated Linuxconf in Red Hat Linux 7.1 in April 2001.8 The project lost momentum, and modern distributions replaced it with tools like Webmin, Cockpit, and direct CLI management.

How the Protocol Worked

TAC News had no formally published protocol specification. It operated on a simple client-server model for distributing text-based updates about Terminal Access Controller operations on military networks.

Linuxconf's web interface was more interesting. It ran as an HTTP server on port 98, activated through inetd (the Internet superserver daemon). The administrator had to explicitly enable remote access and configure which hosts were allowed to connect. Once enabled, Linuxconf generated HTML forms dynamically based on the system's current configuration, processed form submissions, and applied changes directly to system files.

Security Considerations

Port 98 should not be open on any modern system. Both services that used it are obsolete:

  • TAC News served hardware that no longer exists
  • Linuxconf has known remote code execution vulnerabilities and has been abandoned for over two decades

If you see traffic on port 98, investigate immediately. There is no legitimate modern service that uses this port. Unexpected activity here could indicate misconfiguration of a legacy system or unauthorized use of an unmonitored port.

Checking for Activity on Port 98

# Linux: check if anything is listening on port 98
sudo ss -tlnp | grep :98
sudo lsof -i :98

# macOS: check for listeners
sudo lsof -i :98
netstat -an | grep '\.98 '

# Scan a remote host
nmap -p 98 target-host

Related Ports

PortServiceConnection
49TACACS/TACACS+The authentication protocol born from the same TAC hardware that TAC News served
80HTTPThe protocol Linuxconf borrowed to serve its web interface
10000WebminOne of the tools that replaced Linuxconf for web-based administration
9090CockpitThe modern successor to browser-based Linux administration

Frequently Asked Questions

Previous

Port 97: Swift-RVF — The Protocol That Left Only Its Name

Next

Port 99: Metagram Relay — The Protocol Nobody Remembers

Was this page helpful?

😔
🤨
😃