Further to what Erik said, the closed connections don't accumulate over time, they're the result of a single attack or a portscan. subsecuent attacks only reuse them without increasing their number. you'll notice that most of the connections were made from the same IP.
On 9grid there are 500+ connections in the "closed" state, all from the same IP which, it appears from the logs, ran an automated scanner for vulnerable websites: clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET /admin/lang.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET /inc/pipe.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /include/write.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /becommunity/community/index.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /modules/xoopsgallery/upgrade_album.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /modules/mod_mainmenu.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /modules/agendax/addevent.inc.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /shoutbox/expanded.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /modules/xgallery/upgrade_album.php HTTP/1.1"
