Securing Oracle

We have the following oracle related exposed IP/ports:

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1313/tnslsnr
tcp        0      0 0.0.0.0:1521            0.0.0.0:*               LISTEN      1313/tnslsnr
tcp        0      0 0.0.0.0:44803           0.0.0.0:*               LISTEN      1558/xe_d000_XE

First we limit the ips which exposes the 1521 service:
so we edit the $ORACLE_HOME/network/admin/listener.ora:

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
      (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
      #(ADDRESS = (PROTOCOL = TCP)(HOST = achtung)(PORT = 1521))
    )
  )

Note you can include one line like
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
as many adresses you want to add this service. Checking:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:1521          0.0.0.0:*               LISTEN      25959/tnslsnr

Second, we alter the http ports to a non serial one:

oracle@achtung:~$ sqlplus system@xe
SQL> begin
  2  dbms_xdb.sethttpport('8888');
  3  end;
  4  /
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
SQL>

No restart needed, the updated port is listening righ now :D
SQL> select dbms_xdb.gethttpport as "HTTP-Port", dbms_xdb.getftpport as "FTP-Port" from dual;
 HTTP-Port   FTP-Port
---------- ----------
      8888          0
SQL>

To completely disabiling simply set to zero value, you can manage in this way both the http and ftp ports
dbms_xdb.sethttpport('0');
    dbms_xdb.setftpport('0');

And now we want to disable Default on-boot launching:

ocm@achtung:~:$ sudo update-rc.d oracle-xe disable 2

Thanks to http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#i483142