Block users from logging into SSH

Based on custom logic

In /etc/pam.d/sshd, add

session required pam_exec.so stdout /mylogic

/mylogic will be executed with environment variable $PAM_USER which is the user trying to logging in. You can run any custom logic against the user.

/mylogic can write to stdout, which will be displayed for the end user.

Based on user name or group name

Section 1 certainly is able to accomplish this task because you know the user from $PAM_USER. But a simpler way is to use AllowGroups or AllowUsers in /etc/sshd/sshd_config. You can also place files in /etc/sshd/sshd_config.d.

Block all users except root(?)

Create file /etc/nologin. No users can log in with the presence of the file. The content of the file will be printed for displaying a reason.

Only root can log in.