The following systemd security settings have been tested and allow fail2ban to work normally while significantly decreasing it's ability to change things on the sysstem. This program processes data from hostile systems on the Internet and needs access to perform privileged operations. So we want it to run with minimum privs. [Service] SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @swap @resources @reboot @raw-io @obsolete CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_TTY_CONFIG CAP_NET_ADMIN ProtectSystem=true PrivateTmp=true ProtectHome=true MemoryDenyWriteExecute=true ProtectKernelModules=true ProtectHostname=true NoNewPrivileges=false RestrictNamespaces=true ProtectClock=true RestrictSUIDSGID=true ProtectKernelTunables=true ProtectControlGroups=true ProtectKernelLogs=true PrivateDevices=false RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK AF_PACKET UMask=077 LockPersonality=true RestrictRealtime=true