Fail2ban – Why SSH Attempts Are Not Being Blocked

I have set up fail2ban to block failed ssh attempts. I checked the rule with fail2ban-regex and and an extract from my logs, this works fine.

I also checked the logs for the "Ban" notice and the IP in question and it's there:

zgrep 'Ban.*202.29.214.13' /var/log/fail2ban.log*
/var/log/fail2ban.log:2021-08-23 01:27:19,023 fail2ban.actions        [1460]: NOTICE  [sshd] Ban 202.29.214.13

However, my ssh / auth logs still show attempts from that IP after the timestamp in question:

Aug 23 01:27:23 myhost123 sshd[4526]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 47633 ssh2]
Aug 23 01:27:23 myhost123 sshd[4526]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 47633 ssh2 [preauth]
Aug 23 01:27:23 myhost123 sshd[4526]: Disconnecting authenticating user root 202.29.214.13 port 47633: Too many authentication failures [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 50424 ssh2]
Aug 23 01:27:31 myhost123 sshd[4533]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 50424 ssh2 [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: Disconnecting authenticating user root 202.29.214.13 port 50424: Too many authentication failures [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 53056 ssh2 [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: Disconnecting authenticating user root 202.29.214.13 port 53056: Too many authentication failures [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 55901 ssh2 [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: Disconnecting authenticating user root 202.29.214.13 port 55901: Too many authentication failures [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 58908 ssh2 [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: Disconnecting authenticating user root 202.29.214.13 port 58908: Too many authentication failures [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 61129 ssh2 [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: Disconnecting authenticating user root 202.29.214.13 port 61129: Too many authentication failures [preauth]
Aug 23 01:28:23 myhost123 sshd[4577]: error: maximum authentication attempts exceeded for invalid user admin from 202.29.214.13 port 3511 ssh2 [preauth]
Aug 23 01:29:24 myhost123 sshd[4613]: error: maximum authentication attempts exceeded for invalid user oracle from 202.29.214.13 port 24149 ssh2 [preauth]
Aug 23 01:30:07 myhost123 sshd[4641]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 37311 ssh2 [preauth]
Aug 23 01:30:15 myhost123 sshd[4647]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 39486 ssh2 [preauth]
Aug 23 01:30:58 myhost123 sshd[4684]: error: maximum authentication attempts exceeded for invalid user test from 202.29.214.13 port 52882 ssh2 [preauth]
Aug 23 01:31:33 myhost123 sshd[4699]: error: maximum authentication attempts exceeded for invalid user user from 202.29.214.13 port 64849 ssh2 [preauth]

Should fail2ban not block all requests from that IP completely? Any hints on what to check appreciated.