Very secure, but hard to configure for virtual users and chroot.
Here i have crack it down one day for my client.

| /etc/vsftpd/vsftpd.conf

# Disable Anonymous login
 
anonymous_enable=NO
 
# Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd 
# (or wherever your PAM config references) may be used to log in. 
# This must be enable for any non-anonymous login to work, including virtual users.
 
local_enable=YES
 
# This controls whether any FTP commands which change the filesystem are allowed or not. (we override later)
 
write_enable=NO
 
# by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later)
 
anon_upload_enable=NO
 
# When enabled, anonymous users will only be allowed to download files which are world readable
 
anon_world_readable_only=NO
 
# If set to YES, anonymous users will be permitted to create new directories (we override later)
 
anon_mkdir_write_enable=NO
 
# operation other than upload, creation consider as other_write e.g.. overwrite ( we override later)
anon_other_write_enable=NO
 
# define custom pam service for our purpose.
 
pam_service_name=ftp
 
# chroot users !! yeah we need this
 
chroot_local_user=YES
 
# Guest enable will separate login from passwd - so you do not need system account to exists.
# need this for standalone authentication.
 
guest_enable=YES
 
# where you want to guest user to - generally apache user OR directory owner
 
guest_username=www
 
# This needed as listen has to be enable for ftp to work
 
listen=YES
 
# Passive port range specification
 
pasv_min_port=30000
pasv_max_port=30999
 
# Location where we override all above options where we need overriding.
 
user_config_dir=/etc/vsftpd/vsftpd_user_conf
 
# Need this to disable some users from system
 
userlist_enable=YES
 
# List of the users which is disabled
 
userlist_file=/etc/vsftpd/denied_users
 
# Maximum ftp client at any given moment of time
 
max_clients=100
 
# How many connection from single ip
 
max_per_ip=10

Additional Log options

xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
log_ftp_protocol=YES

• create directory “/etc/vsftpd/vsftpd_user_conf”
• create file “/etc/vsftpd/vsftpd_user_conf/www”

| /etc/vsftpd/vsftpd_user_conf/www

write_enable=YES
dirlist_enable=YES
download_enable=YES
local_root=/var/www/html

• create pam auth rule for db4 based database

| /etc/pam.d/ftp

auth    required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login

• crate text file with username / password. users.txt

| /etc/vsftpd/users.txt

www
wwwpassword
username2
password2

• generate database based on users.txt file

db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db

• generate virtual user restriction for second user

| /etc/vsftpd/vsftpd_user_conf/username2

local_root=/var/www/html/xyz.com
dirlist_enable=YES
download_enable=YES
write_enable=YES

DONE