No. If you get an incoming connection and you don’t want it after all, you will have to accept() is and close() it right away. This is not a consequence of the way TCP (or other network protocols) work, but it is inherent in the socket API.

Assuming we’re talking about TCP/IP, it’s instructive to note that by the time select() (or poll() or whatever) has notified you that the listening socket is ready for reading, it’s already too late to not accept the connection: the kernel has already accepted the connection on your behalf. That is, it has already sent out a SYN|ACK in response to the incoming SYN packet. That’s actually the effect of the listen() system call. After that, the call to accept() is just a formality: it allocates a new file descriptor for the accepted connection.

The most notable piece of software that could potentially take advantage of a different way of doing things is TCP wrappers. TCP wrappers generally makes a decision as to whether or not to accept an incoming connection based solely on the remote IP address. If it were given the opportunity to make this decision and refuse the connection before it was even accepted, then it would enable clients whose connections have been denied by TCP wrappers to get a true “Connection refused” response (a RST response to the SYN packet, just the same as if nothing were listening on the port). But with the sockets interface, there is no way for it to do that. Instead the client’s connection is opened and then immediately closed.

Not all operating systems are the same this way. For example on Cisco IOS, when you configure an access-list of on a vty port to permit incoming connections from some IP addresses and deny them from others, the denied connections get a true “Connection refused”. But it’s not implemented using sockets. (It’s probably implemented using something very proprietary.)