To the best of my knowledge, any "Access Denied" SSH failure message is generated by your client, not the server (SnapGear).
The "Sash command shell" bannier is, I believe, built into the shell and mostly beyond customization (barring recompilation). However, I expect the /etc/motd message, were the file to contain anything, would likely get displayed. I do not know how to get it modified through a reboot.
Your question on restricting IP addresses allowd to manage the device is pretty straight forward:
1) Create multiple Address Definitions, one per IP address or subnet to which you wish to grant access.
2) Create an Address Group Definition called "Mgmt Addresses" or such, adding all the individual Addresses to it.
3) Create a Service Group Definition called "SnapGear Mgmt" or such, select HTTP, HTTPS, Telnet, SSH, SNMP (or whatever protocols you wish to grant).
4) Create a Packet Filter Rule with the following settings:
4a) Name: SnapGear Mgmt
4b) Enable: yes
4c) Action: Accept
4d) Type: Input
4e) Incoming Interface: Any
4f) Source Address: Mgmt Addresses
4g) Destination Address: Internet Port
4h) Services: SnapGear Mgmt
5) Ensure you have completed the above steps accurately and are, preferably, connected via the LAN inteface.
6) In the Firewall/Incoming Access section, UNCHECK everything for Internet interfaces.
The Incoming Access section defines the *default* access rights. By creating the Packet Filter rule explicitly granting access as configured it will come before the default rules, now set to denied.