a simple rule is not to allow direct access to the box itself in any way from the outside. and another one is to add a "trap port" from well known ports, like ssh, telnet or ftp or something that anything trying to connect to those gets blocked for five or so minutes. effectively "frustrates" any port scanners and blocks most security scanning tools
