1. Ports
  2. Port 992

Port 992: Telnet over TLS/SSL — The Security Patch for a Plaintext Past

Port 992 is the officially assigned port for Telnet over TLS/SSL, also known as "telnets" or Secure Telnet. It's Telnet—the remote terminal protocol from 1969—wrapped in modern encryption because the original was spectacularly insecure.

What It Does

Telnet on port 23 transmits everything in plaintext. Every keystroke. Every password. Every command. Readable by anyone with access to the network path.

Port 992 fixes this by wrapping the entire Telnet session in TLS/SSL encryption. When a client connects to port 992, TLS negotiation happens immediately—before any credentials or commands are transmitted. The session is encrypted. The passwords are protected. The traffic is no longer readable in transit.

It's the same remote terminal access, just secured.

How It Works

The difference between port 23 and port 992 is timing:

Port 23 (standard Telnet):

  1. Connection established
  2. Username transmitted (plaintext)
  3. Password transmitted (plaintext)
  4. Commands flow back and forth (plaintext)

Port 992 (Telnet over TLS/SSL):

  1. Connection established
  2. TLS handshake occurs (encryption negotiated)
  3. Everything after this point is encrypted
  4. Username, password, commands—all protected

The Telnet protocol itself doesn't change. The encryption is a wrapper, not a redesign.

Who Uses This

Port 992 appears primarily in environments where legacy systems require Telnet access but security policies won't permit plaintext transmission anymore.

IBM Systems: IBM i (formerly OS/400) uses port 992 as the default for TelnetS. Administrators managing these systems connect through terminal emulators configured for TLS.1

Mainframe Access: IBM z/OS systems often offer TN3270E (the mainframe variant of Telnet) over port 992. Clients like x3270, Rocket BlueZone, and IBM Personal Communications support it.2

Legacy Infrastructure: Organizations with equipment or software that requires Telnet but can't be upgraded to SSH use port 992 as a compromise—keep the protocol, add the encryption.

The Honest Assessment

Port 992 is a Band-Aid.

Telnet was designed when the Internet was a few dozen universities and trust was assumed. It never had authentication integrity, session protection, or any concept of modern security. Port 992 adds encryption, which solves the interception problem, but it doesn't fix the protocol's deeper architectural issues.

SSH on port 22 was designed secure from the ground up—better key management, integrated authentication, session integrity, and more flexibility. SSH has largely replaced Telnet for good reason.

Port 992 exists because you can't always migrate immediately. Sometimes the system is too old, too critical, or too expensive to replace. Sometimes the vendor never added SSH support. Sometimes the infrastructure just won't budge.

In those cases, port 992 is what you do when you can't do better but refuse to do nothing.

Security Considerations

Better than port 23: Encryption prevents credential interception and protects session data from eavesdropping.

Worse than port 22 (SSH): SSH offers superior authentication methods, session integrity checking, and a more robust security model. If you can use SSH, use SSH.

Configuration matters: TLS on port 992 is only as strong as its configuration. Weak cipher suites, outdated TLS versions, or poor certificate validation undermine the protection. Ensure modern TLS (1.2+) and strong ciphers are enforced.

Still a target: Attackers know port 992 exists for legacy access. Ensure strong authentication, monitor connections, and restrict access by IP when possible.

Checking What's Listening

On Linux/macOS:

sudo lsof -i :992
sudo netstat -tulpn | grep :992

On Windows:

netstat -ano | findstr :992

If you see something listening on port 992, determine whether it's an authorized TelnetS service or something unexpected. Unauthorized listeners should be investigated immediately.

Why Unassigned Ports Matter

Port 992 isn't unassigned—it has a clear purpose. But its existence illustrates why the port assignment system matters.

IANA assigns ports to prevent conflicts and establish standards. When a protocol needs secure and insecure variants (like Telnet on 23 vs. Telnet over TLS on 992), having distinct, recognized ports prevents ambiguity. Clients know where to connect for encrypted sessions. Firewalls know which traffic to allow. Administrators know what they're looking at in logs.

Without assigned ports, every implementation would choose arbitrarily. The Internet would be chaos.

Related Ports

  • Port 23 — Standard Telnet (plaintext, insecure)
  • Port 22 — SSH (the modern replacement for Telnet)
  • Port 993 — IMAP over TLS/SSL (another "add encryption" port)
  • Port 995 — POP3 over TLS/SSL (same pattern)

Frequently Asked Questions About Port 992

Previous

Port 991: NAS — The Ghost of Usenet Administration

Next

Port 994: IRCS — The officially assigned port that IRC abandoned

Was this page helpful?

😔
🤨
😃