Port 2605: BGPd VTY — The back door into your BGP daemon

What Port 2605 Does

Port 2605 is the default Virtual Terminal (VTY) port for bgpd, the BGP daemon in Quagga and its modern successor FRRouting (FRR).

Quagga and FRRouting are open-source routing suites that bring full dynamic routing — BGP, OSPF, RIP, and others — to Linux systems. They're used by Internet service providers, cloud operators, and network engineers who need a software router without proprietary hardware.

Each daemon in the suite runs its own management shell on its own port. The VTY interface is a telnet-based command line that speaks Cisco IOS. You connect, authenticate, and get a familiar > prompt where you can inspect routing tables, check BGP neighbor states, and diagnose session problems.

$ telnet localhost 2605

Hello, this is Quagga (version 0.99.23).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
bgpd>

Port 2605 is specifically for bgpd. The other daemons in the suite have their own ports: zebra on 2601, ripd on 2602, ripngd on 2603, ospfd on 2604, ospf6d on 2606.¹

The IANA Registration

IANA's registry lists port 2605 as "NSC POSA," registered to someone named Tom Findley. There's no public documentation about what NSC POSA actually is or does, and it sees no observed real-world traffic. The Quagga VTY convention predates or simply ignores this registration, and in practice, if you see traffic on port 2605, it's a routing daemon's management interface.²

Security Considerations

The VTY interface is intended for local or trusted network access only. By default, bgpd binds to 127.0.0.1, meaning only local processes can connect. If it's exposed to a wider network — even accidentally — an attacker with access to port 2605 can read your full routing configuration and potentially inject routes.

If you're running Quagga or FRR and don't need the VTY interface, disable it. If you do need it, ensure it's firewalled to localhost or a dedicated management network.

How to Check What's Listening

Linux:

ss -tlnp | grep 2605
# or
lsof -i :2605

macOS:

lsof -i :2605

Cross-platform:

nmap -sV -p 2605 localhost

If you see bgpd or frr in the output, you're running a BGP daemon with its VTY interface active. If you see something else entirely, investigate — this port has no other well-known legitimate uses.