So far, we have learned how to use port scanning techniques to discover and detect information about remote hosts. Let's try to understand that any services/hosts will be vulnerable to port scans, which are exposed to users through some sort of connectivity. This might include an enterprise WAN or the internet. Port scanning is also not classed as illegal activity unless information is used to exploit systems.
The amount of information that should be exposed to the outside world is down to the system administrator. Any IP scanning starts with an ICMP, and you can block all incoming ICMPs on an enterprise edge device. This will make Ping ineffective and will filter ICMP unreachable messages to block Traceroute as part of the first line of defense. But does this solve all of the problem? No, port scan works on TCP/UDP ports as well.
Another way to limit information is to disable all unnecessary services on a system. Of course, you cannot block all services. For example, if you are running HTTPS services on a host, then only port 443 [HTTPS] should be exposed to the internet. One more simple method is to restrict services by source IP address. Scans from other IP addresses will then not detect them.
A final clever solution would be to configure policies on firewall/IPS/IDS for threat signature detection. Just like other applications, Nmap itself has its own signature.