diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service
index 8a867ca64..0012b9824 100644
--- a/packaging/systemd/rsync.service
+++ b/packaging/systemd/rsync.service
@@ -25,8 +25,31 @@ Restart=on-failure
 
 ProtectSystem=full
 #ProtectHome=on|off|read-only
+
+# These are general hardening parameters that should not affect file access
 PrivateDevices=on
 NoNewPrivileges=on
+MemoryDenyWriteExecute=on
+LockPersonality=on
+PrivateTmp=on
+ProtectClock=on
+ProtectControlGroups=on
+ProtectHostname=on
+ProtectKernelLogs=on
+ProtectKernelModules=on
+ProtectKernelTunables=on
+ProtectProc=invisible
+ProcSubset=pid
+RestrictNamespaces=on
+RestrictRealtime=on
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+# We only listen on TCP sockets
+SocketBindAllow=ipv4:tcp
+SocketBindAllow=ipv6:tcp
+SocketBindDeny=any
 
 [Install]
 WantedBy=multi-user.target
diff --git a/packaging/systemd/rsync@.service b/packaging/systemd/rsync@.service
index 63ba0c7c4..83390002c 100644
--- a/packaging/systemd/rsync@.service
+++ b/packaging/systemd/rsync@.service
@@ -24,5 +24,29 @@ StandardError=journal
 
 ProtectSystem=full
 #ProtectHome=on|off|read-only
+
+# These are general hardening parameters that should not affect file access
 PrivateDevices=on
 NoNewPrivileges=on
+MemoryDenyWriteExecute=on
+LockPersonality=on
+PrivateTmp=on
+ProtectClock=on
+ProtectControlGroups=on
+ProtectHostname=on
+ProtectKernelLogs=on
+ProtectKernelModules=on
+ProtectKernelTunables=on
+ProtectProc=invisible
+ProcSubset=pid
+RestrictNamespaces=on
+RestrictRealtime=on
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+# These settings work only for inetd-style activation
+RestrictAddressFamilies=AF_UNIX
+PrivateNetwork=on
+IPAddressDeny=any
+