Well,
Why go through all the hassle yourself putting in the TCP Wrapper. Just open admintool or vi /etc/shadow and put in a NOLOGIN or change the password.
Unless for some reasons he can still connect to your box when you changed your password, then check your /.rhosts files and check the .ssh stuffs. Most of these are what they call Backdoor. They put these stuffs in so that they can still access your box even if you kill the process (PIDS)
Hope this help you my friend,
-David