1. Password Protect - This one is a given. You should always protect the listener with a password
2. Listener.ora logging - I set logging on the listener so that each attempted connection is logged. This is a good way to see who is trying to access your database. The only issue which may arise with the logging feature is that the log file will continue to grow in size. You must create a job or manually create a new listener log at some point, or your log file will become too large. Creating an automated job to complete log switching is easy, but you must remember that you'll need to stop the listener before you can alter the log file. On a Windows server, you can use a batch script similar to the following (the ping command just pauses the script momentarily...this gives the listener service a chance to stop):
ping -n 11 localhost
echo Change log...
The above script simply renames your log file and when the listener is restarted, it will create a new log file. You may also wish to copy the archived log file to a new location to free up some space in the TNS log directory.
3. Use the ADMIN_RESTRICTIONS_listener-name=ON listener.ora parameter. This will disable any remote LSNRCTL access.
Hopefully via the usage of these security settings coupled with the server security, the Oracle database TNS listener should be secure.
If anyone has another means of protecting the TNS listener which should be used by default, please let me know. I am always looking for better ways to secure Oracle.