By default, a listening socket will accept packets from any IP
address. This means that any host on the Internet will be able to
connect to your server. If your server has bugs, they might be
exploited to compromise your account. To reduce this possibility,
you can bind your socket to the loopback address, rather than the
wildcard address. This will cause the network stack to reject
connections unless the destination address on the connection request
is the loopback address. To do so, the address field of the sockaddr
struct that you pass to bind should be set to the loopback
address.
For an example, see this code.
You can check that your program is only listening on the loopback
address using netstat. Assuming that your program is
listening on port 9000, the output of netstat -tnl | grep
9000 should be:
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
If your program is listening on the wildcard address, you will
instead see:
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
