Mount /tmp with noexec, nodev and nosuid flags. In most cases, a simpletmpfs ramdisk with a maximum size of 100 MB should be enough. Justinsert this line into /etc/fstab, and do a “mount /tmp†afterwards:
tmpfs /tmp tmpfs nodev,noexec,nosuid,size=100M,mode=1777 0 0
If a scriptkiddie still manages to drop a file in /tmp, there is no wayto execute it.