I'd just like to mention that if hardening on backend can't be performed for whatever reason (let's say other servers in your network need to access your node on that same socket with other paths), you can also implement an LTM policy on your BIG-IP to check for /services path in the URL and rejecting any other client request.
You do need to assign an http profile to the virtual server (as well as the LTM policy of course) to achieve this. If we're talking about HTTPS traffic, you also need to import certificates on the BIG-IP unit and configure + assign a clientSSL (end eventually serverSSL too) profile/s to that same VS.