Harden the systemd service

scripts/systemd.sslh.service

@@ -6,6 +6,22 @@ After=network.target
 EnvironmentFile=/etc/conf.d/sslh
 ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS
 KillMode=process
+#Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+SecureBits=noroot-locked
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MountFlags=private
+NoNewPrivileges=true
+PrivateDevices=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+MemoryDenyWriteExecute=true
+DynamicUser=true
 
 [Install]
 WantedBy=multi-user.target