DenyUsers user1 user2 user3
Use to block user login. You can use wild cards as well as email@example.com (user1 is not allowed to login from somedomain.com host) pattern.
DenyGroups group1 group2
A list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards.
Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.
AllowUsers user1 user2
This directive is opposite of DenyUsers directive.
AllowGroups group1 group2
This directive is opposite of DenyGroups directive.
You should always block access to root user/group:
Open /etc/ssh/sshd_config file:
Append following names (directives):
Make sure at least one user is allowed to use ’su -’ command.
Save the file and restart the sshd.