diff --git a/README.md b/README.md
index 8c232ae..da9becd 100644
--- a/README.md
+++ b/README.md
@@ -132,6 +132,9 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Disable TCP timestamps as they can allow detecting the system time.
 
+- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above
+  setting disables TCP timestamps.
+
 - Optional - Log packets with impossible source or destination addresses to
   enable further inspection and analysis.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index a4914da..c9a3f97 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -565,6 +565,16 @@ net.ipv6.conf.*.accept_ra=0
 ##
 net.ipv4.tcp_timestamps=0
 
+## Disable reuse of TIME_WAIT sockets for new outgoing connections.
+## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps.
+## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection.
+## Hence TIME-WAIT sockets should wait the full timeout period before being made available again.
+## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections.
+##
+## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux
+##
+net.ipv4.tcp_tw_reuse=0
+
 ## Enable logging of packets with impossible source or destination addresses.
 ## Martian and unroutable packets may be used for malicious purposes.
 ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.