Boost Linux Server Performance: Essential Kernel and Sysctl Tweaks

Disable SELinux permanently

SELinux improves system security but can cause trouble; generally it is disabled for performance tuning.

# vim /etc/selinux/config
# change SELINUX=enforcing to SELINUX=disabled
# reboot

Set system runlevel to 3

Running at runlevel 3 saves system resources.

# grep 3:initdefault /etc/inittab
id:3:initdefault:
# init 3

Increase maximum file descriptor limits

# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536

Explanation: * applies to all users; nofile is the maximum number of open files (including sockets); nproc is the maximum number of processes.

Adjust kernel parameters in /etc/sysctl.conf

Configure network parameters to improve system load capacity and to mitigate packet loss.

# vim /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.nf_conntrack_max = 655360

Descriptions: net.ipv4.tcp_syncookies = 1: enable SYN cookies to protect against SYN‑flood attacks. net.ipv4.tcp_tw_reuse = 1: allow TIME‑WAIT sockets to be reused for new connections. net.ipv4.tcp_tw_recycle = 1: enable fast recycling of TIME‑WAIT sockets. net.ipv4.tcp_fin_timeout = 30: set FIN‑WAIT‑2 timeout to 30 seconds. net.ipv4.tcp_keepalive_time = 1200: reduce keepalive interval from the default 2 hours to 20 minutes. net.ipv4.ip_local_port_range = 1024 65000: expand the range of outbound ports. net.ipv4.tcp_max_syn_backlog = 8192: increase the SYN queue length. net.nf_conntrack_max = 655360: enlarge the conntrack table size.

Firewall‑related sysctl settings

Add the following lines to /etc/sysctl.conf (or the appropriate sysctl.conf.first file) and apply them with sysctl -p:

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

These parameters control the size and timeout values of the connection‑tracking table, which can be tuned according to available RAM.

Common issues

Too many open files (or handles)

Connection timeout due to excessive TIME_WAIT sockets

The “too many open files” error occurs when a process exceeds the system’s file‑descriptor limit; increasing the limits in /etc/security/limits.conf resolves it.

Excessive TIME_WAIT sockets usually indicate that applications are not closing connections properly; checking the application code and the kernel network settings above helps mitigate the problem.

Common commands

View network connection states:

netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key, "\t", state[key]}'

State descriptions:

CLOSED – no connection is active.

LISTEN – server is waiting for incoming calls.

SYN_RECV – a connection request has arrived and is awaiting confirmation.

SYN_SENT – the client has initiated a connection.

ESTABLISHED – normal data transfer state.

FIN_WAIT1 – the application has finished sending.

FIN_WAIT2 – the remote side has agreed to release.

TIME_WAIT – waiting for all packets to die.

CLOSING – both sides are trying to close simultaneously.

LAST_ACK – waiting for the final ACK.

Summary

Linux provides a rich set of kernel parameters; proper tuning of SELinux, runlevel, file‑descriptor limits, sysctl network settings, and conntrack values can significantly improve server processing capability.