I don't know of a way to do this. HTTP and HTTPS support could probably be disabled, but most operating systems require a firewall to block ICMP access - there isn't any real way to disable it. I'm not sure exactly how to modify the firewall ruleset on ESXi.

PAM support in ESXi is pretty limited - the modules you have there are the ones you get, so if you can't do it with what's included, I'm not sure if there's a way to do it at all.

Finally, 427 is known in services as srvloc - commonly known as SLP. It's a common protocol used in advertising and locating services on a LAN - similar to Apple's Bonjour/MDNS system.

For item two you can see this page and try the httpsOnly option - http://www.vm-help.com/esx/esx3i/http_transfers.php. You should also look at port 902 (legacy VI client connections) and 5989 (CIM server - you can disable this in advanced settings in the health status tab is not essential to you).

A question about PAM on ESXi. Is there anything that would keep one from building pam modules on another box and using them on the ESXi host? The only difficulty that I can see here is having the correct libc versions, etc.

Well, someone has to say it, so I will: the answer to the ssh problem is "don't use it". The first rule of securing a computer is to reduce your attack surface. This is particularly true in this case; I would certainly not publicly expose a service that is explicitly "unsupported".

Learn to use the RCLI: I have yet to find anything important that I can't accomplish that way, though it isn't always straightforward, is rough around the edges, and does take some reading of the manual.

You might also take a look here; I found it helpful: http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1340015,00.html?track=NL-915&ad=675974&asr...

Cheers -d