De acordo com a documentação :
Cautious system administrators may want only a few select system users to be able to connect to their proftpd server--all other users are to be denied access. The LOGIN command group is designed for just this scenario:
<Limit LOGIN> AllowUser barb AllowUser dave AllowGroup ftpuser DenyAll </Limit>
This allows the users barb and dave, as well as any user in the ftpuser group, to login. All other users will be denied.
Você precisa usar a cláusula DenyAll logo após Permitir grupo de ftp