Although there are many ways workarounding the lack of security with ye olde FTP, there is a quite handy solution: use OpenSSH via SCP/SFTP to handle the file transfers.
There are many solutions which all try to restrict the access for some users. That’s not what we are trying to do. At the end, we will have two running openssh-instances. One for ssh and the other for sftp/scp.
With Gentoo, this is quite easy to do, but even for the other distros, this howto should be usable.
Here are the steps:
1. Get OpenSSH. (Should already been done at install time)
emerge openssh
2. Copy some files, make links
cp /etc/ssh /etc/ssh2 -R cp /etc/conf.d/ssh /etc/conf.d/ssh2 ln -s /etc/init.d/sshd /etc/init.d/sshd2 ln -s /usr/sbin/sshd /usr/sbin/sshd2
3. SSH-Server
Now edit /etc/ssh/sshd_config and remove the line containing internal subsystem. Now you can decide what to do: either bind the servers to different IP and the same ports or vice versa or both. 
Anyway, the options for this are:
Port <portnumber> ListenAddress <ip-address>
3. SFTP-Server
Now edit /etc/ssh2/sshd_config and keep the Port- & IP-Settings of the SSH-server in mind.
Subsystem sftp internal-sftp # These lines must appear at the *end* of sshd_config ChrootDirectory %h ForceCommand internal-sftp
This will force every successful login to start the internal sftp server and chroot to its home directory.
Edit /etc/conf.d/sshd2
# /etc/conf.d/sshd: config file for /etc/init.d/sshd # Where is your sshd_config file stored? SSHD_CONFDIR="/etc/ssh2"# Any random options you want to pass to sshd. # See the sshd(8) manpage for more info. SSHD_OPTS="" # Pid file to use (needs to be absolute path). SSHD_PIDFILE="/var/run/sshd2.pid" # Path to the sshd binary (needs to be absolute path). SSHD_BINARY="/usr/sbin/sshd2"
4. Add SFTP to the runlevels
rc-update add ssh2 default
5. Check permissions
Make sure, that the path to each user’s home directory is being set 0755 for root:root. Otherwise, you won’t be able to log in. Let’s say, your home directory is /home/users/domains/e/example.com/t/testuser. Then, each of the path’ elements must be set to 0755 root:root. This leads to an inability of creating and removing files in the home-root. Create an incoming-files directory to get around of this.
6. EXTRA: DenyHosts just for SFTP
emerge denyhosts
edit /etc/denyhosts.conf and adapt the options to fit your needs. There is just one thing you must change:
BLOCK_SERVICE = sshd2
If you choose to run denyhosts as daemon, I suggest to add t to the default runlevel as well. And – of course – start it.
rc-update add denyhosts default /etc/init.d/denyhosts start
That’s all, folks!