[ Main / Projects / Docs / Files / FAQ / Links ]
First, only run services that you absolutely need. Second, my reccomendations may not fit your requirements; my primary criterion for a daemon is security. That said, I would suggest running the following services:
OpenSSH - There really aren't any other options, and most any machine will require ssh service. However, ssh necessarily relies upon root, so it will always be a security worry. Fortunately, OpenSSH has had a good record of late.
Postfix - Postfix has an excellent security record and is regularly updated. Combined with its high performance and easy administration, there's really no good reason to choose another MTA.
I used to run qmail a long time ago, but it has atrophied badly (§1.2/§4.3 is the most severe issue, IMO) from lack of maintenance, and requires a great deal of work to sanitize its behavior for modern, spammy networks. Therefore, I now reccomend Postfix.
syslog-ng - syslog-ng has a good security record and is quite powerful. Further, for very paranoid hosts, it can run as a non-root user from within a chroot, giving it the best security characteristics of any existing log daemon.
NTPv4 - I would suggest using the reference NTP implementation. It supports Linux capabilities by default and will run as an unpriviliged user in a chroot jail. NTPv3 had a spotty security record, but NTPv4 seems fairly robust and offers better accuracy and compatibility than OpenNTPd.
nginx - Nginx is small, very fast, and has a good security record. It's also featureful enough (via a module system) to do whatever you may need.
vsftpd - FTP is largely obsoleted by http and scp, but if you need an anonymous ftp server, vsftpd is very fast and very secure. It's the only ftp daemon I would reccomend; most other ftp servers have very bad security records, probably because of the complexity of the ftp protocol.
ndhc - ndhc is written to be secure and takes advantage of privilege seperation, a chroot jail, and capabilities. It's the only dhcp client that I know of that does not require root privileges.
unbound and NSD - Assuming that you do not need realtime updates of your authoritative DNS records (in which case a database-backed server such as PowerDNS will be required), the pair of unbound (recursive queries) and NSD (serving records) is the best choice. They're very fast, standards-compliant, and have excellent security records. If you do need database-backed serving, replace NSD with PowerDNS.
ncron - ncron is written to be secure, and is designed so that in the most paranoid circumstances, it may be run as a single-user cron to entirely eliminate any possible risk. ncron handles rlimits, chroots, and running processes under alternate credentials, as well as some other features that most cron daemons do not support.
Network UPS Tools - NUT takes advantage of privsep and chroots to provide secure UPS monitoring. Additionally, it handles more models of UPS than any other free software.
vpidentd - Written in ocaml and with deny-by-default in mind, it is secure and will not leak information.
tcps - tcps is a minimal tcp server that will listen and spawn services on its port. It's small, secure, and GPL. An alternative is BSD inetd (Debian has a port that is fine). tcpserver is similar to tcps, but has a different license and coding style. xinetd has suffered from some security holes in the past and should be avoided.
ISC DHCPD is the best choice. Make sure to run it as a non-root user and restrict it to a chroot for maximal safety.
ndyndns is my effort at producing a small, secure, and protocol-compliant client update daemon for dyndns.org. It's perhaps a bit more specific than the above, but I've not found an update client that I've liked in years, so it's perhaps worth mentioning.