As far as the maven clojure plugin goes, which is what I personally use, this issue is fixed in version 1.3.4, which is now publicly available.
I'm told that modern leiningen setups open local ports, and that Phil has patched swank-clojure so that a local port is the default, so as long as you use latest versions of things this issue should be dead.
If you start your swank servers from old pom.xmls or project.cljs, you should probably still be careful just in case they pull in old versions of swank-clojure and clojure-maven-plugin. Update them if you can.
Well done to Phil and Mark, who fixed this within hours of it being noticed. Thanks guys!
A warning to anyone using SLIME/SWANK with clojure.
clojure-swank appears to open its server on the public port 4005 by default.
Note, not the loopback port 4005, the real one, visible to everyone.
If you don't have a firewall set up, then you're not only giving everyone on your local network the ability to execute arbitrary code on your machine, you're giving them a very nice interface with which to do it.
This appears to be the default behaviour of:
Connection opened on local port 34633
If you want a loopback port, then you have to say:
(swank.swank/start-server "/tmp/swank-port" :host "localhost")
Connection opened on local port 47233
And this behaviour appears to be inherited by the maven-clojure-plugin, and by leiningen using certain project files.
It does appear that a newly-created leiningen project opens the loopback port, but that's a property of project.clj, not of the leiningen tool itself.
If you're using swank and clojure, run a firewall, because you really don't want to open this port by accident on a hostile network:
Under Ubuntu, that's a simple as:
$ sudo ufw enable
To block everything, and:
$ sudo ufw allow 22
You can still use a local emacs to interact with a remote machine using this command to tunnel the remote port 4005 to your local port 4005 before using M-x slime-connect.
$ ssh -2 -N -f -L 4005:localhost:4005 user@remotebox