diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg
new file mode 100644
index 0000000..8e2baff
--- /dev/null
+++ b/etc/default/grub.d/40_enable_iommu.cfg
@@ -0,0 +1,2 @@
+# Enables IOMMU to prevent DMA attacks.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf
new file mode 100644
index 0000000..3e2c7de
--- /dev/null
+++ b/etc/modprobe.d/blacklist-dma.conf
@@ -0,0 +1,3 @@
+# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+blacklist firewire-core
+blacklist thunderbolt
diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf
new file mode 100644
index 0000000..789769d
--- /dev/null
+++ b/etc/sysctl.d/dmesg_restrict.conf
@@ -0,0 +1,2 @@
+# Restricts the kernel log to root only.
+kernel.dmesg_restrict=1
diff --git a/etc/sysctl.d/sysrq.conf b/etc/sysctl.d/sysrq.conf
new file mode 100644
index 0000000..266e275
--- /dev/null
+++ b/etc/sysctl.d/sysrq.conf
@@ -0,0 +1,2 @@
+# Allow only rebooting/shutting down with the SysRq key.
+kernel.sysrq=128
diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf
index 0cea4be..e192a8b 100644
--- a/etc/sysctl.d/tcp_hardening.conf
+++ b/etc/sysctl.d/tcp_hardening.conf
@@ -15,5 +15,12 @@ net.ipv6.conf.default.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 
-# Ignores ICMP requests
+# Ignores ICMP requests.
 net.ipv4.icmp_echo_ignore_all=1
+
+# Enables TCP syncookies.
+net.ipv4.tcp_syncookies=1
+
+# Disable source routing.
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service
new file mode 100644
index 0000000..89a028b
--- /dev/null
+++ b/lib/systemd/system/remove-system-map.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Removes the System.map files
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/security-misc/remove-system.map
+
+[Install]
+WantedBy=multi-user.target
diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map
new file mode 100644
index 0000000..10071f8
--- /dev/null
+++ b/usr/lib/security-misc/remove-system.map
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+shopt -s nullglob
+
+# Removes the System.map files as they are only used for debugging or malware.
+for filename in /boot/System.map-*
+do
+  if [ -f "${filename}" ]; then
+    rm -f "${filename}"
+  fi
+done