Very secure, but hard to configure for virtual users and chroot.
Usually virtual user help in hosting environment.
But it is good to have diff. account on FTP for each person to specific location.

Use configuration below and use the commands specified to create new user / manage users.

| /etc/vsftpd/vsftpd.conf

# Disable Anonymous login
 
anonymous_enable=NO
 
# Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd 
# (or wherever your PAM config references) may be used to log in. 
# This must be enable for any non-anonymous login to work, including virtual users.
 
local_enable=YES
 
# This controls whether any FTP commands which change the filesystem are allowed or not. (we override later)
 
write_enable=NO
 
# by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later)
 
anon_upload_enable=NO
 
# When enabled, anonymous users will only be allowed to download files which are world readable
 
anon_world_readable_only=NO
 
# If set to YES, anonymous users will be permitted to create new directories (we override later)
 
anon_mkdir_write_enable=NO
 
# operation other than upload, creation consider as other_write e.g.. overwrite ( we override later)
anon_other_write_enable=NO
 
# define custom pam service for our purpose.
 
pam_service_name=ftp
 
# chroot users !! yeah we need this
 
chroot_local_user=YES
 
# Guest enable will separate login from passwd - so you do not need system account to exists.
# need this for standalone authentication.
 
guest_enable=YES
 
# where you want to guest user to - generally apache user OR directory owner
 
guest_username=www
 
# This needed as listen has to be enable for ftp to work
 
listen=YES
 
# Passive port range specification
 
pasv_min_port=30000
pasv_max_port=30999
 
# Location where we override all above options where we need overriding.
 
user_config_dir=/etc/vsftpd/vsftpd_user_conf
 
# Need this to disable some users from system
 
userlist_enable=YES
 
# List of the users which is disabled
 
userlist_file=/etc/vsftpd/denied_users
 
# Maximum ftp client at any given moment of time
 
max_clients=100
 
# How many connection from single ip
 
max_per_ip=10

Additional Log options, you would like to add to above config i have added

xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
log_ftp_protocol=YES

• create directory “/etc/vsftpd/vsftpd_user_conf”
• create file “/etc/vsftpd/vsftpd_user_conf/www”

NOTE : now we are overriding all disabled options for each user. (if not you will be denied for anything )

| /etc/vsftpd/vsftpd_user_conf/www

write_enable=YES
dirlist_enable=YES
download_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
local_root=/var/www/html

• create pam auth rule for db4 based database

| /etc/pam.d/ftp

auth    required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login

• crate text file with username / password. users.txt

| /etc/vsftpd/users.txt

www
wwwpassword
username2
password2

• generate database based on users.txt file

db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db

• generate virtual user restriction for second user

| /etc/vsftpd/vsftpd_user_conf/username2

local_root=/var/www/html/xyz.com
dirlist_enable=YES
download_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES

• If you see permission 600 and you have issue with that permission and not able to chmod. try following additional lines.

| /etc/vsftpd/vsftpd_user_conf/username2

chmod_enable=YES
virtual_use_local_privs=YES

NOTE : any change to user setting does not require restart - but new ftp connection needed.

Some use full link :
user permission fix

DONE