Assert ACLs on what ports you do leave open

Wietse Venema's tcp_wrappers tool permits you to accept, reject or twist connections to inbound services based on source IP and/or reverse lookup.

These are a really good idea. Most distributions come with this installed by default, so all you need to do is look at the manual page for host_access.