Why don't you just implement a maximum quantity of MAC address with port-security? This way, the port will shutdown (or ignore the new MAC address) when they plug a router or switch.
I don't think it's possible to issue any kind of wildcard filter with port-security. You could do a VLAN-ACL blocking all the MAC addresses you don't want but it will be time consuming!! Restricting the number of MAC addresses with port-security as above is a lot easier.
switchport port-security max 1
switchport port-security violation shutdown (to shutdown the port in case of violation)
switchport port-security violation protect (ignore the new MAC address)
switchport port-security mac-address sticky (if you want to hard code the MAC address actually in use on the port)