Tested on Ubuntu 12.04 LTS.

This should be used only for an account for ftp only, because filesystem write access will be removed.

Install vsftp:

$ sudo apt-get install vsftpd

Edit /etc/vsftpd.conf:

$ sudo cp -p /etc/vsftpd.conf /etc/vsftpd.conf.orig
$ sudo vi /etc/vsftpd.conf


# JGZ 9/3/2014 – disable anonymous
#anonymous_enable=YES
anonymous_enable=NO

# JGZ 9/3/2014 – use local accounts
local_enable=YES
#

# JGZ 9/3/2014 – allow writing
write_enable=YES
#

# JGZ 9/3/2014 – jail local user accounts in their home directory
chroot_local_user=YES
#

# JGZ 9/3/2014 – don’t allow list
chroot_list_enable=NO

# JGZ 9/3/2014 – list permission if in the file
chroot_list_file=/etc/vsftpd.chroot_list

Edit/create chroot list file:

$ sudo vi /etc/vsftpd.chroot_list

localusername

Remove write access from the localusername directory:

$ sudo chmod a-w /home/localusername

Note: If you use the command above, you will need to create a subdirectory in the home that the localusername can write in. If you want to restrict the ftp user to their home directory, omit the chroot_list_enable and chroot_list_file options specified in the config.

The following will change the log location from /var/log/xferlog to /var/log/vsftpd.log, however it will give you much more useful information. To enable verbose logging add the following:


# JGZ 3/2/2015 – verbose logging
#xferlog_std_format=YES
xferlog_std_format=NO

# JGZ 3/2/2015 – enable verbose logging
log_ftp_protocol=YES

This will not allow the ftp user to delete files for directories. To restrict the ftp user command set:


# JGZ 3/2/2015 – deny delete and rm
cmds_denied=DELE,RMD

To restrict FTP access to a set of I.P. Addresses (CentOS 7):
Use TCP wrappers:

# vi /etc/vsftpd/vsftpd.conf

tcp_wrappers=YES

Restart vsftpd:

# systemctl restart vsftpd

Deny all access:

# vi /etc/hosts.deny

vsftpd: ALL

Create exceptions:

# vi /etc/hosts.allow

vsftpd:aaa.bbb.ccc.ddd www.xxx.yyy.zzz