The easiest way to protect against tools like Metasploit is to make sure that there are no exploitable services running. Of course, this isn’t always as easy as it sounds. Services are constantly being explored and new exploits are often found. If you’re lucky, the vendor will release a patch. If you’re even luckier, the patch won’t break anything essential.
However, odds are that you’re not that lucky.
Some systems stop being updated after a period of time (Windows NT and 2000) and some cannot be updated without causing a problem for a linked system (manufacturing systems are often prevented from being updated). It’s also quite likely that a so-called “zero day” exploit will be used against you. Zero day exploits are ones that are used the day that they are announced. Of course, they tend to be announced after the exploit had been found and used… so the “zero” could well be a “negative thirty” (or 60 or 120).
So, if you can’t make sure that your running services aren’t inherently exploitable, you’re pretty much left to two choices. You can either turn the services off (a service that isn’t running can’t be exploited) or you can try to wrap the service in a system that makes it less exploitable.
I recommend that you do both. If you don’t need a service, disable it. If you do need it, consider wrapping technologies like AppArmor, Suhosin, OSSEC, Core Force and Mod Security or using a more generic proxy solution.