Deny user login by /etc/shadow
Default, Linux systems use /etc/shadow to store the encrypted user passwords. The quickest way to block a user is to alter is password stored in /etc/shadow. Normally an active user account will have one line in /etc/shadow that will look like:
files:$1$x52JQZle$82KTK0hbzozR3BRuwEWLF.:14970:0:99999:7:::
Where the second field is the encrypted password. If we replace the password with “*” or “!” this will make the account unusable, and it will mean that no login is permitted for the user
files:!:14970:0:99999:7:::
Deny user login by passwd command
Use flag -l to lock the specified account and it is available to root only, example deny user1 login
# passwd -l user1
Deny user login by usermod command
The /sbin/nologin command politely refuse a login. It displays a message that an account is not available and exits non-zero. This is prefreed method these days to deny login access to account. You can also change shell to /sbin/nologin, type the following command
# usermod -s /sbin/nologin user1
Verify with these commands:
# cat /etc/passwd | grep user1
Shown as follows
user1:x:607:605::/home/user1:/sbin/nologin