Port 3260: iSCSI — Your Remote Disk, Wearing a Local Disguise

What Runs on Port 3260

Port 3260 is the default port for iSCSI (Internet Small Computer Systems Interface), the protocol that carries SCSI storage commands over a TCP/IP network. It is formally registered with IANA and defined in RFC 7143 (which consolidated the original RFC 3720 from 2004).¹

When a server connects to an iSCSI storage array on port 3260, the operating system's storage stack has no idea the disk isn't local. It issues ordinary SCSI read and write commands. iSCSI wraps those commands in TCP packets, ships them over the network, the storage array unwraps them, executes them against the physical drives, and sends the results back. The database thinks it's talking to a disk three inches away. The disk is in a cabinet across the data center floor.

How iSCSI Works

iSCSI uses a client/server model with two roles:

• Initiator: The client — a server that wants to access storage. It sends SCSI commands.
• Target: The storage system — a SAN array, a NAS, a server with a software iSCSI target. It receives and fulfills those commands.

The connection works like this:

1. The initiator discovers available targets using iSCSI discovery (also on port 3260)
2. The initiator logs into a target using the iSCSI login protocol
3. A session is established over one or more TCP connections
4. SCSI commands flow inside iSCSI Protocol Data Units (PDUs)
5. The operating system presents the resulting block device as if it were a local disk

One session can multiplex multiple connections across different network interfaces, giving iSCSI multipath capability — if one network path fails, the session survives on another.

The SCSI Archaeology

SCSI (Small Computer System Interface) was standardized in 1986 as a way to connect hard drives, tape drives, and scanners directly to a computer via a short parallel cable.² It was designed for a world where storage was physically attached.

By the late 1990s, enterprises were building Storage Area Networks (SANs) — centralized pools of storage shared across many servers. Fibre Channel was the dominant SAN technology: expensive, fast, and requiring its own dedicated infrastructure and expertise. The question became: can you get the same result over ordinary ethernet?

IBM and Cisco began working on iSCSI in 1998. The idea was to take SCSI's proven command set — already implemented in every operating system's storage stack — and carry it over IP networks that data centers already had. You wouldn't need specialized Fibre Channel switches and HBAs. You'd use the same ethernet infrastructure running everything else.

The IETF standardized iSCSI in RFC 3720, published in April 2004.³ RFC 7143 consolidated the protocol in 2014.¹

The Two-Port Anomaly

iSCSI is registered with IANA on two ports:

• Port 860 (TCP/UDP) — the system port, assigned in the 0–1023 range
• Port 3260 (TCP/UDP) — the registered user port

RFC 3720 explicitly states:

"The well-known TCP port number 860 has been assigned by the IANA to iSCSI. The port number 3260 has been assigned as the iSCSI port number... iSCSI implementations MUST NOT default to use of port 860."³

Port 860 is the official system port. Port 3260 is what you're required to use instead. If you see iSCSI traffic on port 860, something is doing it deliberately — normal implementations default to 3260 and that's what you'll find everywhere.

Security

Port 3260 should never be exposed to the Internet. This is not a recommendation — it is a hard requirement. An iSCSI target exposed to the Internet with weak or no authentication gives an attacker direct block-level access to your storage. They don't just read files through a filesystem. They mount the raw block device and have access to everything on it, including data outside any filesystem, partition tables, and volume metadata.

Common misconfigurations:

• No CHAP authentication — iSCSI targets configured to accept any initiator that connects
• No network isolation — iSCSI storage reachable from untrusted networks or the public Internet
• Default credentials — Target systems shipped with known default CHAP usernames and passwords

iSCSI belongs on a dedicated storage network, isolated from general traffic, with firewall rules permitting only specific authorized initiator IP addresses to reach port 3260. Many enterprises run iSCSI on a completely separate VLAN with no routing to other network segments.⁴

Penetration testers specifically enumerate port 3260. An unauthenticated iSCSI target is a significant finding — it provides a path to data that bypasses application-layer access controls entirely.

How to Check What's Listening on Port 3260

On Linux/macOS:

# Check if anything is listening on 3260
ss -tlnp | grep 3260

# Or with netstat
netstat -tlnp | grep 3260

# Scan a remote host
nmap -sV -p 3260 <target>

Discover available iSCSI targets on a host:

# Using iscsiadm (Linux)
iscsiadm -m discovery -t sendtargets -p <host>:3260

# Or with nmap's iSCSI script
nmap -p 3260 --script iscsi-info <target>

If you find an iSCSI target accepting unauthenticated connections from networks it shouldn't be accessible from, treat it as a critical finding.

Who Uses Port 3260

You'll find iSCSI on port 3260 in:

• Virtualization infrastructure — VMware ESXi, Hyper-V, and other hypervisors commonly use iSCSI to attach shared storage for VM disk images
• Enterprise SAN arrays — NetApp, EMC/Dell, IBM, HPE, and most major storage vendors support iSCSI on port 3260
• NAS devices — Synology, QNAP, and similar NAS devices can present iSCSI targets for servers to mount as block devices
• Linux software targets — Systems running targetcli or tgt can export any block device as an iSCSI target
• Cloud storage — Some cloud providers expose block storage volumes via iSCSI