First of all make sure to change the name of your VSFTP configuration file:
sudo mv /etc/vsftpd.conf /etc/vsftpd.conf_orig sudo nano /etc/vsftpd.conf
Now paste below code in vsftpd.conf file:
listen_port=4021
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
connect_from_port_20=NO
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=Yes
pasv_min_port=10000
pasv_max_port=10100
allow_writeable_chroot=YES
Restart VSFTPD service and it will start to listen on port 4021
service vsftpd restart
Now create sftp group:
groupadd sftp
Modify /etc/ssh/sshd_config file to disable users that are part of sftp group to login by a ssh client.
nano /etc/ssh/sshd_config
Add the following line in the end of the file
Match group sftp ChrootDirectory /home X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Restart the SSH server
service ssh restart
Now let’s create a user and give it a password
useradd myftpuser passwd myftpuser
Change a home folder of your “myftpuser” user:
usermod -d /var/www/myftpuser/www myftpuser
Root must be owner of the path /var/www/myftpuser/:
chown root:root /var/www/myftpuser/
Add user to sftp and www-data group:
usermod myftpuser -G sftp, www-data
Check groups of your newly created user:
groups myftpuser
Groups www-data and sftp should be listed.
Make www-data owner of the web folder there all of your files will be stored:
chown www-data:www-data /var/www/myftpuser/www/
Last but not least try to ssh into your myftpuser account. You should not be able to login.
The next step is try login to your FTP but don’t forget to use port: 4021 that we specified above.
Also do not forget to allow port 4021 in your firewall. I use ufw firewall so the following command will allow port 4021:
ufw allow 4021