This is an old revision of the document!
Very secure, but hard to configure for virtual users and chroot.
Here i have crack it down one day for my client.
# Disable Anonymous login anonymous_enable=NO # Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd # (or wherever your PAM config references) may be used to log in. # This must be enable for any non-anonymous login to work, including virtual users. local_enable=YES # This controls whether any FTP commands which change the filesystem are allowed or not. (we override later) write_enable=NO # by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later) anon_upload_enable=NO # When enabled, anonymous users will only be allowed to download files which are world readable anon_world_readable_only=NO # If set to YES, anonymous users will be permitted to create new directories (we override later) anon_mkdir_write_enable=NO # operation other than upload, creation consider as other_write e.g.. overwrite ( we override later) anon_other_write_enable=NO # define custom pam service for our purpose. pam_service_name=ftp # chroot users !! yeah we need this chroot_local_user=YES # Guest enable will separate login from passwd - so you do not need system account to exists. # need this for standalone authentication. guest_enable=YES # where you want to guest user to - generally apache user OR directory owner guest_username=www # This needed as listen has to be enable for ftp to work listen=YES # Passive port range specification pasv_min_port=30000 pasv_max_port=30999 # Location where we override all above options where we need overriding. user_config_dir=/etc/vsftpd/vsftpd_user_conf # Need this to disable some users from system userlist_enable=YES # List of the users which is disabled userlist_file=/etc/vsftpd/denied_users # Maximum ftp client at any given moment of time max_clients=100 # How many connection from single ip max_per_ip=10
Additional Log options, you would like to add to above config i have added
xferlog_enable=YES xferlog_std_format=YES dual_log_enable=YES log_ftp_protocol=YES
NOTE : now we are overriding all disabled options for each user. (if not you will be denied for anything )
write_enable=YES dirlist_enable=YES download_enable=YES anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES local_root=/var/www/html
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
www wwwpassword username2 password2
db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
local_root=/var/www/html/xyz.com dirlist_enable=YES download_enable=YES write_enable=YES anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES
NOTE : any change to user setting does not require restart - but new ftp connection needed.
DONE