diff --git a/debian/ngcp-rate-o-mat.service b/debian/ngcp-rate-o-mat.service
index abc3030..aabfde8 100644
--- a/debian/ngcp-rate-o-mat.service
+++ b/debian/ngcp-rate-o-mat.service
@@ -9,6 +9,80 @@ EnvironmentFile=-/etc/default/ngcp-rate-o-mat
 ExecStart=/usr/sbin/ngcp-rate-o-mat
 ExecReload=/bin/kill -HUP $MAINPID
 
+# Service cannot create writable executable memory mappings that are writable and executable at the same time
+MemoryDenyWriteExecute=true
+
+# Service cannot modify the control group file system (via /sys/fs/cgroup)
+ProtectControlGroups=true
+
+# Service cannot load or read kernel modules
+ProtectKernelModules=true
+
+# Service cannot alter kernel tunables (/proc + /sys)
+ProtectKernelTunables=true
+
+# Service may execute system calls only with native ABI
+SystemCallArchitectures=native
+
+# Limit set of capabilities
+CapabilityBoundingSet=
+
+# Service process does not receive ambient capabilities
+AmbientCapabilities=
+
+# Service has no access to other software's temporary files
+PrivateTmp=true
+
+# Service has no access to hardware devices
+PrivateDevices=true
+
+# Service has no access to home directories
+ProtectHome=true
+
+# Service has strict read-only access to the OS file hierarchy
+ProtectSystem=strict
+
+# Limit write access
+ReadWritePaths=/run/
+
+# Service cannot change ABI personality
+LockPersonality=true
+
+# Turn off acquisition of new privileges system-wide
+NoNewPrivileges=true
+
+# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped
+PrivateUsers=true
+
+# Service user cannot leave SysV IPC objects around
+# NOTE: service runs as root, so option does not matter
+RemoveIPC=true
+
+# Restrict access to the various process namespace types the Linux kernel provides
+RestrictNamespaces=true
+
+# Service may not acquire realtime scheduling
+RestrictRealtime=true
+
+# Files created by service are accessible only by service's own user by default
+UMask=0077
+
+# NOTE: Service needs access to the host's network, to access DB
+PrivateNetwork=false
+
+# Control access to specific device nodes by the executed processes
+DevicePolicy=closed
+
+# Maximum number of bytes of memory that may be locked into RAM
+LimitMEMLOCK=0
+
+# Restrict service to allocation of local sockets and network sockets only
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Restrict system calls that are allowed to be executed
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap
+
 [Install]
 WantedBy=multi-user.target
 Alias=rate-o-mat.service