# /etc/systemd/system/sslh.service
[Unit]
Description=SSL/SSH multiplexer (fork mode) for %I
After=network.target

[Service]
EnvironmentFile=/etc/conf.d/sslh
ExecStart=/usr/sbin/sslh -f $DAEMON_OPTS
KillMode=process
#Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=noroot-locked
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MountFlags=private
NoNewPrivileges=true
PrivateDevices=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
MemoryDenyWriteExecute=true
DynamicUser=true

[Install]
WantedBy=multi-user.target