For testing it I added these four lines to my /etc/hosts.deny file:
# /etc/hosts.deny
ssh-agent:ALL
sshd:ALL
I waited some time and then I tried to gain ssh access to the loop-back IP address. But I still get this:
$ ssh root@localhost
Password: ▊
And I can access it. I even tried it with adding entries explicitly denying access from 127.0.0.1.
Tcpwrappers (which uses the entries in hosts.deny) has been removed from OS X 10.8 (Mountain Lion), so sshd is no longer paying attention to what is in that file. You can use Packet Filter instead, or install libwrap via MacPorts and recompile sshd.
Run "man pfctl" to get details on how to control and configure the rules.
There's a nice run-down on how to use pfctl here: A Cheat Sheet For Using pf in OS X Lion and Up
