By default it listens to connections made by any host, which is unnecessary given the very specific task it has to carry out.

Fix: add a setting, at the top of the file itself where the other settings are located, where you specify the addresses of the hosts that can connect.
Then, after accepting a connection, use socket_getpeername() to find out the ip of the caller, and if it is not in the whitelist just close the connection.