These are basic steps to configure a PIM endpoint to block ssh connections from a specific host using the TCP and HOST Classes.

Linux / Unix Based OS PIM Endpoint

1. Turn on the HOST classes from selang
   And TCP class should be disabled to avoid conflict.
   so class-(TCP)
   so class+(HOST)
   
   
2. Make sure that our LADB has the host listed. If not then add it to the local hosts file or configure sebuildla for DNS. Once done rebuild the host LADB via sebuildla -h.
   # sebuildla -H | grep example
   Result: example.com           <IP Address of the host>
   
   
3. Create a host rule that case matches the server name listed in sebuildla -H output
   nr host example.com owner(nobody)
   
   
4. Create an auth rule to remove access to the SSH service
   auth HOST example.com service(ssh) access(none)
   
   
5. Test an ssh connection from the host that is now blocked.
   [root@example bin]# ssh example
   ssh_exchange_identification: Connection closed by the remote host
   
   
6. Review the audit log for the denial.
   # seaudit -a -st now-1 | grep D
   CA ControlMinder seaudit  v12.91.0.301 - Audit log lister
   Copyright (c) 2013 CA. All rights reserved.
   21 Apr 2017 11:28:40 D HOST         ssh                  156  3 example.com /usr/sbin/sshd

If you use TCP class, you can configure following as example:

1. Turn on TCP class and turn off HOST and CONNECT class.
   so class+(TCP)
   so class-(HOST)
   so class-(CONNECT)
   
   
2. Create a host rule that case matches the server name listed in sebuildla -H output
   nr host example.com owner(nobody)
   
   
3. Create TCP class rule.  all outgoing and incoming access are allowed.
   nr TCP ssh owner(nobody) defacc(all)
   
   
4. limited access denied from specific host.
   auth TCP ssh host(example.com) access(none)