FTP
In Linux to disable shell access to a vsftp user:
Add /bin/false to /etc/shells directory make /bin/false as the default shell for the user
proftp
Setting up FTP accounts for users using ProFTPd
Sample configuration file
ServerName "DC7700 FTP server"
ServerIdent on "DC7700 FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
DefaultServer on
AccessGrantMsg "User %u logged in."
DeferWelcome off
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files from being group and world writable.
Umask 022
# Default to show dot files in directory listings
ListOptions "-a"
# To prevent DoS attacks, set the maximum number of child processes to 30.
MaxInstances 30
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# chroot all users of group users to their home directory
# and not a member of adm
DefaultRoot ~ users,!adm
# disable root login and require a valid shell (from /etc/shells)
RootLogin off
RequireValidShell on
# Normally, we want users to do a few things
<Global>
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# grant login only for members of the group ftpuser
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>
# to set a different umask for directory /ftp/special from fefault 022
<Directory /ftp/special>
AllowOverwrite on
Umask 002 002
</Directory>
# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# activate logging
# every login
ExtendedLog /var/log/proftpd/auth.log AUTH auth
# file/dir access
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
# for paranoid (big logfiles!)
#ExtendedLog /var/log/proftpd/paranoid.log ALL default
# Configuration for mod_ban
<IfModule mod_ban.c>
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times within 10 minutes,
#automatically add a ban for that client that will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfModule>
Additional Useful configurations which can be added
# An upload directory that allows storing files but not retrieving or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# A basic anonymous configuration, with an upload directory.
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayFirstChdir .message
DisplayReadme README*
# Some more cosmetic and not vital stuff
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
</Anonymous>
http://www.proftpd.org/docs/directives/linked/configuration.html