We always use this rule to notice a interloper that the service was prohibited.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
But, I think it's better to disguise the rejection as no service, rather than notice a interloper there was a service you cannot reache.
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-host-prohibited

$ sudo apt-get install numlockx
$ sudo gedit /etc/lightdm/lightdm.conf
add this line at he end
greeter-setup-script=/usr/bin/numlockx on