diff --git a/gonx.service b/gonx.service
index a7d874f..545e22d 100644
--- a/gonx.service
+++ b/gonx.service
@@ -37,6 +37,9 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 UMask=0027
+ProtectProc=noaccess
+ProcSubset=pid
+SystemCallFilter=~@clock @swap @reboot @raw-io @privileged @obsolete @mount @module @debug @cpu-emulation
 
 [Install]
 WantedBy=multi-user.target