up it again, anyone have idea?
My understand is that applications use a different account than REST services.
I'd start by locking/deleting the APEX_REST_PUBLIC user. (or whatever you configured it for.)
Also, make sure none of your code/tables have grants to PUBLIC. (this should be part of your general security anyways; some exceptions apply)
ie prevent APEX_REST_PUBLIC from gaining access to anything ensures that if there are any REST services, it won't be able to get any data.
I don't know if there is a way to disable the Restful Service within ORDS. check documentation and then ask Support.
Support give the solution:
The way to disable restful services is NOT to configure AL and RT connection pools in ORDS/Rest Data Services.(APEX Listener).
Remove or rename apex_rt.xml and apex_al.xml files available in the configuration directory ( conf ) used by those instances configured against ORDS / the APEX Listener.
This way ORDS / the APEX Listener will not be able to route REST requests to the database and will return 404 to the end user