Very secure, but hard to configure for virtual users and chroot.
Usually virtual user help in hosting environment.
But it is good to have diff. account on FTP for each person to specific location.
Use configuration below and use the commands specified to create new user / manage users.
# Disable Anonymous login anonymous_enable=NO # Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd # (or wherever your PAM config references) may be used to log in. # This must be enable for any non-anonymous login to work, including virtual users. local_enable=YES # This controls whether any FTP commands which change the filesystem are allowed or not. (we override later) write_enable=NO # by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later) anon_upload_enable=NO # When enabled, anonymous users will only be allowed to download files which are world readable anon_world_readable_only=NO # If set to YES, anonymous users will be permitted to create new directories (we override later) anon_mkdir_write_enable=NO # operation other than upload, creation consider as other_write e.g.. overwrite ( we override later) anon_other_write_enable=NO # define custom pam service for our purpose. pam_service_name=ftp # chroot users !! yeah we need this chroot_local_user=YES # Guest enable will separate login from passwd - so you do not need system account to exists. # need this for standalone authentication. guest_enable=YES # where you want to guest user to - generally apache user OR directory owner guest_username=www # This needed as listen has to be enable for ftp to work listen=YES # Passive port range specification pasv_min_port=30000 pasv_max_port=30999 # Location where we override all above options where we need overriding. user_config_dir=/etc/vsftpd/vsftpd_user_conf # Need this to disable some users from system userlist_enable=YES # List of the users which is disabled userlist_file=/etc/vsftpd/denied_users # Maximum ftp client at any given moment of time max_clients=100 # How many connection from single ip max_per_ip=10
Additional Log options, you would like to add to above config i have added
xferlog_enable=YES xferlog_std_format=YES dual_log_enable=YES log_ftp_protocol=YES
NOTE : now we are overriding all disabled options for each user. (if not you will be denied for anything )
write_enable=YES dirlist_enable=YES download_enable=YES anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES local_root=/var/www/html
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
www wwwpassword username2 password2
db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
local_root=/var/www/html/xyz.com dirlist_enable=YES download_enable=YES write_enable=YES anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES
NOTE : any change to user setting does not require restart - but new ftp connection needed.
Some use full link :
user permission fix