This is/was a purely theory-based question. The server farms I manage get both treatments (invidual 'hardening', and a cluster of high performance firewalls) because a) no single solution will ever be totally secure, and b) not all attacks come from filtered IPs. This is common knowledge. I guess what my question should have been is this:
Excluding any form of packet based denial of service (wherein a target's service is denied due to an overwhelming amount of 'bad' traffic), can a unix system be attacked using TCP/IP, if no programs are listening? I guess a case in point would be the old Ping of Death, where nothing had to be listening on the host (besides a conformant TCP stack), but a specially malformed ICMP echo request would crash the system. I may be groping in the dark for something that has no real answer, or no 'easy' answer, but I have just been wondering on what avenues an exposed system is open to attack.
If no daemons or other programs are listening on a given port, does the OS and it's TCP stack just ignore inbound packets destined for that port? Is there a special 'dead packet zone'? I could probably look this up in the source, but I'm not exactly a hotshot C coder (in fact, I might go as far as to say I suck worse than a 1st year CS student
.