I would like to say, though, that your recommendations about changing the service ports is a bit outdated.
Modern scans pick up everything no matter what port your service is on. The scanner fingerprints the OS from the way packet headers / sequence numbers / etc look, and fingerprints the service ports based on what the scanner sees when it connects to open ports. If it sees an SMTP banner on port 80, and the service responds correctly to "HELO somehost.example.org" guess what - it's logging you as a mail server on port 80. Security through obscurity is not really helping much, and it makes your own life harder having to remember what ports your services really live on.
It's better to make an IP List of trusted sources (e.g. your office's IP, your home's IP, etc), and only allow connections from those IPs. Use the firewall to block this, not the "from addresses" field(s) in ip services. The firewall is much more flexible. After the permanent whitelist, you can allow "transient" access by vpn, or port knocking.
I might also add that insecure services such as telnet / ftp / and www should be disabled or at least limited to ONLY the LAN interfaces.
When given a spoon,
you should not cling to your fork.
The soup will get cold.