diff --git a/etc/sysctl.d/23-starts-unprivileged-ports.conf b/etc/sysctl.d/23-starts-unprivileged-ports.conf
new file mode 100644
index 00000000..044b417b
--- /dev/null
+++ b/etc/sysctl.d/23-starts-unprivileged-ports.conf
@@ -0,0 +1,6 @@
+# I mainly care about protecting 22/SSH, and don't see myself using ports
+# below 80 (or 70 if Gopher fans around me get me around to it), the 1024
+# unprivileged start is legacy that Windows and macOS have ended ages ago.
+# Linux 4.11 April 2017, also works for IPv6
+# https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#comment90027734_51439516
+net.ipv4.ip_unprivileged_port_start=23