Boost Linux Server Performance: Essential Kernel and Sysctl Tweaks

Disable SELinux permanently

SELinux improves security but can cause trouble; to disable it, edit the configuration file and set SELINUX=disabled, then reboot.

# vim /etc/selinux/config
# reboot

Set system runlevel to 3

Changing the default runlevel saves system resources by booting into multi‑user mode without a graphical interface.

# grep 3:initdefault /etc/inittab
id:3:initdefault:
# init 3

Increase maximum file descriptor limits

Edit /etc/security/limits.conf and add the following lines to raise both soft and hard limits for all users.

* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536

Explanation:

* applies to all users. nproc controls the maximum number of processes. nofile controls the maximum number of open files/sockets.

Adjust kernel parameters in /etc/sysctl.conf

Modify network‑related settings to improve load handling and reduce packet loss.

# vim /etc/sysctl.conf

net.ipv4.tcp_syncookies = 1

– enable SYN cookies to mitigate SYN‑flood attacks. net.ipv4.tcp_tw_reuse = 1 – allow reuse of TIME‑WAIT sockets. net.ipv4.tcp_tw_recycle = 1 – enable fast recycling of TIME‑WAIT sockets. net.ipv4.tcp_fin_timeout = 30 – shorten FIN‑WAIT‑2 timeout. net.ipv4.tcp_keepalive_time = 1200 – reduce keepalive interval from 2 hours to 20 minutes. net.ipv4.ip_local_port_range = 1024 65000 – expand the range of outbound ports. net.ipv4.tcp_max_syn_backlog = 8192 – increase SYN queue length. net.nf_conntrack_max = 655360 – enlarge conntrack table size.

Firewall‑related sysctl settings

Add the above parameters to the end of /etc/sysctl.conf (or a sysctl.conf.first file if present) and apply them with:

# sysctl -p

Common exceptions

Too many open files – occurs when the process exceeds the file descriptor limit, often due to high concurrency or unclosed I/O.

TIME_WAIT overload – many sockets remain in TIME_WAIT because applications do not close connections properly.

Solutions include raising the file descriptor limits (as shown above) and adjusting the kernel network parameters to allow reuse and faster recycling of sockets.

Useful commands

Inspect network socket states:

netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key, "\t", state[key]}'

Common TCP state meanings:

CLOSED – no connection.

LISTEN – server waiting for connections.

SYN_RECV – request received, awaiting confirmation.

SYN_SENT – client initiating a connection.

ESTABLISHED – normal data transfer.

FIN_WAIT1 / FIN_WAIT2 – closing phases.

TIME_WAIT – waiting for delayed packets to expire.

LAST_ACK – final acknowledgment phase.

Conclusion

Linux provides a rich set of kernel parameters that, when tuned appropriately, can dramatically increase a server's processing capacity and reliability.