wordpress-子主题Child Theme

zh-cn:子主题

WordPress子主题也是一个主题,它继承了另一个主题——父主题——的功能,并允许你对父主题的功能进行修改,或者添加新功能。本文将说明如何创建一个基本的子主题并解释您能用它来干什么。本文将使用 WordPress 3.0 的默认主题 Twenty Ten 作为父主题进行举例说明。

创建一个子主题是很简单的。创建一个目录,将格式编写正确的 style.css 文件放进去,一个子主题就做成了!只需要对 HTML 和 CSS具有基本的了解,您就可以通过创建一个非常基本的子主题 来对一个父主题的样式和布局进行修改和扩展,而不需要对父主题的文件作任何修改。通过这样的方式,当父主题被更新的时候,您所做的修改就可以保存下来。

因为这个原因,我们强烈推荐您使用子主题的方式来对主题进行修改。

如果您对 PHP, WordPress Templates,和 WordPress Plugin API有个基本的理解,理论上来讲,您可以使用子主题对父主题的每一个方面进行扩展,而不需要对父主题的文件进行任何修改。

目录结构

子主题放在wp-content/themes目录下属于自己的目录里。下面的结构显示的就是子主题和它的父主题(Twenty Ten)在典型的WordPress目录结构中的位置:

  • public_html
    • wp-content
      • themes (主题存放的目录)
        • twentyten (示例中父主题Twenty Ten的目录)
        • twentyten-child (子主题存放的目录,可以任意命名)
          • style.css (子主题中不可或缺的文件,文件名必需为 style.css)

这个文件夹里面可以少至只包含一个style.css文件,也可以包含多至一个完整WordPress主题所拥有的文件:

  1. style.css (必需)
  2. functions.php (可选)
  3. Template files (可选)
  4. Other files (可选)

让我们看看它们是如何起作用的。

必需的style.css文件

style.css是一个子主题唯一必须的文件。它的头部提供的信息让WordPress辨认出子主题,并且重写父主题中的style.css文件

对于任何WordPress主题,头部信息必须位于文件的顶端,唯一的区别就是子主题中的Template:行是必须的,因为它让WordPress知道子主题的父主题是什么。

下面是一个style.css文件的头部信息的示例:

/*
Theme Name:     Twenty Ten Child
Theme URI:      http: //example.com/
Description:    Child theme for the Twenty Ten theme 
Author:         Your name here
Author URI:     http: //example.com/about/
Template:       twentyten
Version:        0.1.0
*/

逐行的简单解释:

  • Theme Name. (必需) 子主题的名称
  • Theme URI. (可选) 子主题的主页。
  • Description. (可选) 子主题的描述。比如:我的第一个子主题,真棒!
  • Author URI. (可选) 作者主页。
  • Author. (optional) 作者的名字。
  • Template. (必需) 父主题的目录名,区别大小写。 注意: 当你更改子主题名字时,要先换成别的主题。
  • Version. (可选) 子主题的版本。比如:0.1,1.0,等。

*/ 这个关闭标记的后面部分,就会按照一个常规的样式表文件一样生效,你可以把你想对WordPress应用的样式规则都写在它的后面。

要注意的是,子主题的样式表会替换父主题的样式表而生效。(事实上WordPress根本就不会载入父主题的样式表。)所以,如果你想简单地改变父主题中的一些样式和结构——而不是从头开始制作新主题——你必须明确的导入父主题的样式表,然后对它进行修改。下面的例子告诉你如何使用@import规则完成这个。

一个子主题的范例

这个例子中的父主题是Twenty Ten,我们喜欢这个主题的几乎每个部分,除了网站标题的颜色,因为我想把它从黑色的改成绿色的。使用子主题的话,只用完成以下三个简单的步骤:

  1. wp-content/themes目录下创建一个新目录,并将它命名为twentyten-child(或其他你喜欢的名称)。
  2. 将下面的代码保存在名为style.css的文件里,并将它放到新建的这个文件夹。
  3. 到WordPress的控制台>主题,然后激活你的新主题:Twenty Ten Child。
/*
Theme Name: Twenty Ten Child
Description: Child theme for the Twenty Ten theme 
Author: Your name here
Template: twentyten
*/

@import url("../twentyten/style.css");

#site-title a {
    color: #009900;
}

下面一步步解释上面代码的作用:

  1. /* 开启子主题的头部信息。
  2. Theme Name: 子主题名称的声明。
  3. Description: 主题的描述(可选,也可被省略)。
  4. Author: 作者名字的声明(可选,也可被省略)。
  5. Template: 声明子主题的父主题,换言之,父主题所在的文件夹的名称,区分大小写。
  6. */子主题头部信息的关闭标记。
  7. 用 @import规则将父主题的样式表调入
  8. #site-title a 定义网站标题的颜色(绿色),覆盖父主题中相同的样式规则。

注意 @import 规则

需要注意的是,@import 规则之前没有其他的CSS样式规则,如果你将其他的规则置于它之上,那么它将无效,并且父主题的样式表不会被导入。

使用 functions.php

不像style.css,子主题中的functions.php不会覆盖父主题中对应功能,而是将新的功能加入到父主题的functions.php中。(其实它会在父主题文件加载之前先载入。)

这样,子主题的functions.php提供了一个灵活稳定的方式来修改父主题的功能。如果你想在你的主题里加入一些PHP函数,最快的方式可能是打开functions.php文件然后加入进去。但那样并不灵活:下次你的主题升级更新了,你加入的新功能就会丢失掉。相反地,如果你使用子主题,将functions.php文件放进去,再将你想加入的功能写进这个文件里,那么这个功能同样会工作得很好,并且对于父主题以后的升级更新,子主题中加入的功能也不会受到影响。

functions.php文件的结构非常简单:将PHP起始标签置于顶部,关闭标签置于底部,它们之间就写上你自己的PHP函数。你可以写得很多,也可以写得很少,反正按你所需。下面的示例是一个基本的functions.php文件的写法,作用是将favicon链接加入到HTML页面的head元素里面。

<?php

function favicon_link() {
    echo '<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />' . "\n";
}
add_action('wp_head', 'favicon_link');

?>

给主题作者的提示。事实上子主题的functions.php首先加载意味着你的主题的用户功能可插入——即子主题是可替换的——通过有条件地进行声明。例如:

if (!function_exists('theme_special_nav')) {
    function theme_special_nav() {
        //  Do something.
    }
}

注意,替换的过程是在父级主题中,使用php的function_exits进行判断。 用这种方式,子主题可以替换父主题中的一个PHP函数,只需要简单地对它再次声明。

模板文件

模板文件 在子主题中的表现和style.css一样,它们会覆盖父主题中的相同文件。子主题可以覆盖任何父主题模板中的文件,只需要创建同名文件就行。(注意:index.php在WordPress3.0及以上版本才能被覆盖。)

同样,这项WordPress的功能允许你修改父主题的样式功能而不用去编辑父主题的文件,并且你的修改能让你在更新父主题后继续保留。

下面是一些使用模板文件的子主题的例子:

  • 增加一个父主题没有提供的模板(例如:网站地图页面的模板,或者一单栏页面,它们在页面编辑,模板选择里是可用的)
  • 增加一个比父模板更加具体的模板(见模板级别)。(例如:新加的tag.php模板用于按tag归档的文章来代替父主题中通常的archive.php模板。)
  • 替换父主题中的一个模板.(例:使用你自己的home.php来覆盖父主题中的home.php

其他文件

除了style.css,functions.php,index.php和home.php,子主题可以使用任何正式主题使用的类型的文件,只要文件被正确链接。打个比方,你可以使用在样式表里或者Javascript文件里链接的图标、图片,或者从functions.php文件中调用出来的额外PHP文件。

转载自:https://codex.wordpress.org/Child_Themes

ftp软件-免费开源的FileZilla

FileZilla是一个免费开源的FTP软件,分为客户端版本和服务器版本,具备所有的FTP软件功能。可控性、有条理的界面和管理多站点的简化方式使得Filezilla客户端版成为一个方便高效的FTP客户端工具,而FileZilla Server则是一个小巧并且可靠的支持FTP&SFTP的FTP服务器软件。
FileZilla是一种快速、可信赖的FTP客户端以及服务器端开放源代码程式,具有多种特色、直接的接口。FileZilla在2002年11月获选为当月最佳推荐专案。
因为需要对网站进行管理,所以利用FileZilla的站点管理功能,将本地文件传送到服务器。也可以下载服务器文件。其实利用 了sftp功能,FileZilla支持网络代理。可以方便的进行远程连接操作。

 
 
 

windows特有软件-AdvanceSystemCare

Advanced SystemCare

Advanced SystemCare是一款能分析系统性能瓶颈的优化软件。它通过对系统全方位的诊断,找到系统性能的瓶颈所在,然后有针对性地进行修改、优化。优化后系统性能和网络速度都会有明显提升。

       平常使用的时候感觉不错,就记录一下。

mac系统问题和优化-显示隐藏文件的脚本

mac系统默认情况下无法查看隐藏文件,如果有需要可以使用脚本,显示隐藏文件。

脚本源代码如下:

display dialog "隐藏/显示隐藏文件" buttons {"可见", "隐藏"} with icon 2 with title "Switch to presentation mode" default button 1

set switch to button returned of result

if switch is "隐藏" then
	do shell script "defaults write com.apple.finder AppleShowAllFiles -bool false;
KillAll Finder"
	
else
	do shell script "defaults write com.apple.finder AppleShowAllFiles -bool true;
KillAll Finder"
	
end if

复制脚本源代码,然后 打开 Launchpad —>其他—>Script Editor
复制代码然后运行就可以了。或者选 文件 导出 成 application 也可以。

坑爹生活反思-网站目录与文章标题的思考

隐藏的文章需要配置的地方:
1、UAM 配置
2、自动展开 category 目录 配置
3、Popular post 配置
4、recent psot  不需要 配置


网站目录分类说明:

1、二级分类会带有一级分类的名字,这样做是为了在文章后台更加清晰的,识别与管理。因为后台只会展示二级分类名,这样做为了避免存在同名二级分类却一级分类不同的情况。

2、各系统中 的软件被分为2类
(1)、面向多数用户的。(这部分软件,独自建立分类目录)
(2)、面向自己本人的。(这部分软件,分两类 1,跨平台的,归类到系统通用。2,不跨平台的归类到系统特有自用软件)

3、取文章标题时,会加入分类名作为前缀,这样做方便区分和管理。如果一个前缀分类名不好区分,标题中需要附加另一个前缀名,以增加文章的区分度。标题取名时,最多24个字,方便好看易于管理。27感觉也行吧。
一级分类下的问章,就直接取名:一级分类+标题
二级分类下的文章,就直接取名:二级分类+(需要区分加一级分类)+标题

4、关于前端技术文章的分类看法:
移动端按系统来分:按系统来分,可以梳理系统各个模块的划分,然后关于 语言分类问题,可以在 最终的文章上,最前端加语言标记,java-安卓Service-标题。kotlin-安卓Service-标题。这样做的目的,可以不破坏系统的介绍的完整性。然后文章按标题分类时,按首字母分类,可以很快的区分两种语言。同理,Ios的Objective-C和Swift 也可以参照此法进行系统的分类。
桌面端按框架来访:这样子,可以针对各种web前端框架进行梳理和分析,文章分类比较合理点。

5、关于流水账与日期明确的文章,采用 分类-年月-标题 来划分文章 比较好看。
时间导向性文章,还是这样操作比较好。分类的话,只用时间分类的话,可能会有后台混淆,还是采用 分类-日期的方式吧。

6、新增加了:
百科随记,用于分类记录 之前没有归类过的 流水账。(百科随记 主要侧重 网络获取的知识)
生活摘记,主要侧重于记录 日常生活。

健康贴士,单独建立分类,用于整理关于健康的小贴士文章,初步打算根据影响因素分类。
一般提到的只有四个危险因素
意见建议:1、环境因素:包括生物因素(致病性微生物、细菌、病毒、真菌、原虫以)及物理、化学、社会、经济、文化教育、就业等因素。
2、个人行为生活因素:包括营养、风俗习惯、嗜好(吸烟、酗酒)、交通工具(如汽车所带来的车祸)、体育锻炼、心理、精神状态等。
3、医疗卫生服务的因素:医疗质量低、误诊漏诊、医院交叉感染等都是直接危害健康和影响医疗质量的因素。
4、人类生物遗传因素
【最终,健康贴士 我采用 衣食住行 的方式 进行了 分类】

7、关于一类分类取名的问题,如果一类分类取名不会和其他分类的一类分类名混淆,可以直接取名,会混淆的话,还是用  主分类名-一类分类名  吧(关于一级分类名,有些时候别取木头了,健康贴士-饮食 ,还不如 直接取名:健康饮食,这样直观明了还简单 )

二级分类取名就是  就是包括 两个名了,中间 – 连接

主要是wordpress太渣了,后台文章分类只显示 子分类,无法追加父分类。所以容易对文章 归属 混淆。

关于一类分类下文章:本可根据 另一个关键字,建立二类 目录,但是二类目录文章少的话,
直接利用 文章取名 一类分类名-二类可分类关键字-文章标题
举例 疾病循环系统-高血压-标题名 (本来可以起高血压分类名字的,但是感觉文章少,直接采用这种方法了)

二级目录还是要拆分,因为看到文章标题,我不知道是哪个目录来的文章

wordpress-好用插件介绍

一、系统安全类

1、Wordfence Security
wordpress 老牌 防火墙插件,必装。

2、Google Authenticator
wordpress 后台登录两步验证插件,提升安全性。

3、Disable XML-RPC / Disable XML-RPC Pingback
关闭远程调用接口,接口是为移动端发博客调用的,但会被黑客利用,所以jing

二、系统优化类

1、EWWW Image Optimizer
对上传的图片进行压缩的插件。

2、W3 Total Cache
建立网站缓存的插件。

3、Accelerated Mobile Pages 
AMP 网站搜索,文章迅速加载插件。

三、文章编辑类

1、Black Studio TinyMCE Widget
wordpress  可以编辑文本的 网页小工具。

2、TinyMCE Advanced
增强版,wordpress 文章编辑软件,可以满足一般的使用需求了。

3、Crayon Syntax Highlighter
wordpress 代码编辑插件,可以方便的在文章中插入代码片段。风格比较多,覆盖比较全。

4、SyntaxHighlighter Evolved
wordpress 代码编辑插件,可以方便的在文章中插入代码片段。风格和前一种不同。

四、实用工具类

1、Collapsing Archives
一款将文章按月份自动收纳展开的插件。

2、Collapsing Categories
一款将文章按类别自动收纳展开的插件。

3、Media Library Assistant
一款对网站图片视频资源分类管理插件

4、Phoenix Media Rename
一款网站媒体资源重命名插件

5、Private content
可以在文章中,根据用户角色,判断是否能展示 文章部分隐藏内容。

6、User Access Manager
用户权限管理,可以设置哪些类别,文章,能被哪些用户访问。

7、Top 10
统计网站最流行的文章插件

8、WP Statistics
网站数据统计插件,统计网站各项数据

9、WP User Avatar
修改网站头像插件

10、wpDiscuz
网站论坛插件,在文章回复中添加验证码模块

11、Easy Table of Contents
有widget插件,可以自动生成文章目录,方便阅读

12、Q2W3 Fixed Widget

将侧边栏控件,自由设置固定还是滚动

五、网站维护类

1、Search & Replace
域名替换插件,可以替换数据库中所有域名信息。

2、UpdraftPlus – Backup/Restore
网站备份还原插件

六、界面美化类

1、weichuncai(WP伪春菜)
一款wordpress 桌面精灵插件。

2、Calendar Event
一款好看的日历插件

3、Responsive Lightbox
一款不错的网页图片浏览插件

wordpress 5.0 后,采用 simple code block 代码高亮插件

centos初装系统-安全性加固

转载自:https://www.linode.com/docs/security/securing-your-server/

In the Getting Started guide, you learned how to deploy a Linux distribution, boot your Linode and perform basic administrative tasks. Now it’s time to harden your Linode against unauthorized access.

Update Your System–FrequentlyPermalink

Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.

Automatic Security UpdatesPermalink

There are arguments for and against automatic updates on servers. Fedora’s Wikihas a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. Not all package managers make that easy or possible, though.

The practicality of automatic updates is something you must judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.

Add a Limited User AccountPermalink

Up to this point, you have accessed your Linode as the root user, which has unlimited privileges and can execute any command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server.

Note

Not all Linux distributions include sudo on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output sudo: command not found, install sudo before continuing.

To add a new user, first log in to your Linode via SSH.

CentOS / FedoraPermalink

  1. Create the user, replacing example_user with your desired username, and assign a password:
    useradd example_user && passwd example_user
    
  2. Add the user to the wheel group for sudo privileges:
    usermod -aG wheel example_user
    

    Caution

    In CentOS 6 a wheel group is disabled by default for sudo access. You must to configure it manually. Type from root: /usr/sbin/visudo. Then find the line # %wheeland uncomment this line. To began typing in vi, press a. To save and exit press Escape, then type :w(press enter), :q(press enter)

UbuntuPermalink

  1. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  2. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    

DebianPermalink

  1. Debian does not include sudo by default so it must be installed:
    apt install sudo
    
  2. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  3. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    
  4. After creating your limited user, disconnect from your Linode:
    exit
    
  5. Log back in as your new user. Replace example_user with your username, and the example IP address with your Linode’s IP address:
    ssh [email protected]
    

Now you can administer your Linode from your new user account instead of root. Nearly all superuser commands can be executed with sudo (example: sudo iptables -L -nv) and those commands will be logged to /var/log/auth.log.

Harden SSH AccessPermalink

By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section we’ll create a key-pair and configure the Linode to not accept passwords for SSH logins.

Create an Authentication Key-pairPermalink

  1. This is done on your local computer, not your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.Linux / OS X

    Caution

    If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.
    ssh-keygen -b 4096
    

    Press Enter to use the default names id_rsa and id_rsa.pub in /home/your_username/.ssh before entering your passphrase.

    Windows

    This can be done using PuTTY as outlined in our guide: Use Public Key Authentication with SSH.

  2. Upload the public key to your Linode. Replace example_user with the name of the user you plan to administer the server as, and 203.0.113.10 with your Linode’s IP address.LinuxFrom your local computer:
    ssh-copy-id [email protected]
    

    OS X

    On your Linode (while signed in as your limited user):

    mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
    

    From your local computer:

    scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
    

    Note

    ssh-copy-id is available in Homebrew if you prefer it over SCP. Install with brew install ssh-copy-id.

    Windows

    • Option 1: This can be done using WinSCP. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click Login to connect.Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click Upload in the toolbar above.You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to /home/example_user/.ssh/authorized_keys, replacing example_user with your username.
    • Option 2: Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user):
      mkdir ~/.ssh; nano ~/.ssh/authorized_keys
      

      The above command will open a blank file called authorized_keys in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press CTRL+X, then Y, then Enter to save the file.

    Finally, you’ll want to set permissions for the public key directory and the key file itself:

    sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
    

    These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on how to modify file permissions.

  3. Now exit and log back into your Linode. If you specified a passphrase for your private key, you’ll need to enter it.

SSH Daemon OptionsPermalink

  1. Disallow root logins over SSH. This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using sudo or changing to a root shell using su -.
    /etc/ssh/sshd_config
    # Authentication:
    ...
    PermitRootLogin no
  2. Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line PasswordAuthentication may need to be added, or uncommented by removing the leading #.
    /etc/ssh/sshd_config
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no

    Note

    You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.
  3. Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon.Use the option:
    • AddressFamily inet to listen only on IPv4.
    • AddressFamily inet6 to listen only on IPv6.

    The AddressFamily option is usually not in the sshd_config file by default. Add it to the end of the file:

    echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
    
  4. Restart the SSH service to load the new configuration.If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
    sudo systemctl restart sshd
    

    If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):

    sudo service ssh restart
    

Use Fail2Ban for SSH Login ProtectionPermalink

Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.

Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.

For complete instructions on installing and configuring Fail2Ban, see our guide: Securing Your Server with Fail2ban.

Remove Unused Network-Facing ServicesPermalink

Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.

Determine Running ServicesPermalink

To see your Linode’s running network services:

sudo ss -atpu

The following is an example of the output given by ss, and shows that the SSH daemon (sshd) is listening and connected. Note that because distributions run different services by default, your output will differ.

 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3675,fd=3)) tcp ESTAB 0 208 203.0.113.1:ssh 198.51.100.2:54820 users:(("sshd",pid=3698,fd=3)) tcp LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3675,fd=4)) 

TCPPermalink

See the Peer Address:Port column of the ss readout. The process sshd is listening on *:*, which translates into any incoming IPv4 address to any port, and over any network interface. The next line shows an established SSH connection from IP address 198.51.100.2 via ephemeral port 54820. The last line, :::*denotes the sshd process listening for any incoming SSH connections over IPv6 to any port, and again over any network interface.

UDPPermalink

UDP sockets are stateless, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as LISTEN, ESTABLISHED and CLOSE_WAIT. The ss output above shows no UDP connections.

Determine Which Services to RemovePermalink

A basic TCP and UDP nmap scan of your Linode without a firewall enabled would show SSH and possibly other services listening for incoming connections. By configuring a firewall you can filter those ports to your requirements. Ideally, the unused services should be disabled.

You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, RSA keys and Fail2Ban can help protect SSH. System services like chronyd, systemd-resolved, and dnsmasqare usually listening on localhost and only occasionally contacting the outside world. Services like this are part of your operating system and will cause problems if removed and not properly substituted.

However, some services are unnecessary and should be removed unless you have a specific need for them. Some examples could be Exim, Apache and RPC.

Uninstall the Listening ServicesPermalink

How to remove the offending packages will differ depending on your distribution’s package manager.

Arch

sudo pacman -Rs package_name

CentOS

sudo yum remove package_name

Debian / Ubuntu

sudo apt purge package_name

Fedora

sudo dnf remove package_name

Run ss -atup again to verify that the unwanted services are no longer running.

Configure a FirewallPermalink

Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:

  • Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
  • FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
  • UFW provides an iptables frontend for Debian and Ubuntu.

Next StepsPermalink

These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using intrusion detection or installing a form of access control.

Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from migration from shared hosting to enabling two-factor authentication to hosting a website.

See Also

centos初装系统-修改timezone

It may be better to use the same timezone which a majority of your users are located in, or that you live in to make log file timestamps more sensible.

Debian / Ubuntu

[bash]dpkg-reconfigure tzdata[/bash]

Arch Linux and CentOS 7

View the list of available time zones.

[bash]timedatectl list-timezones[/bash]

Use the Up, Down, Page Up and Page Down keys to navigate. Find the time zone which you want. Remember it, write it down or copy it as a mouse selection. Then press q to exit the list.

To set the time zone:

[bash]timedatectl set-timezone ‘America/New_York'[/bash]

Gentoo

View the list of available time zones.

[bash]ls /usr/share/zoneinfo[/bash]

Write the selected time zone to the /etc/timezone file.

Example (for Eastern Standard Time):

[bash]echo "EST" > /etc/timezone[/bash]

Configure the sys-libs/timezone-data package, which will set /etc/localtimeappropriately.

[bash]emerge –config sys-libs/timezone-data[/bash]

Check the Time

View the current date and time according to your server.

[bash]date[/bash]

The output should look similar to: Thu Feb 16 12:17:52 EST 2012.

 

转载自:https://www.linode.com/docs/getting-started/