I have a Debian 10 server running on a VPS.
The only software I installed is: tinyproxy (http proxy) and fail2ban

I have included the results of port scan using nmap

I have included my specific settings in the fail2ban jail.local file.

I have included my specific settings in the fail2ban fail2ban.local file.

I have included below a sample of entries from auth log.

I have included below a sample of entries from fail2ban log.

I have included my results from sample scan of IpTables.

I do not understand if fail2ban is working,
i.e. causing IPs to be blocked based upon entries in the IP Tables that fail2ban has made.

As example:

== auth.log shows attempted entry by 192.241.141.43, almost every minute

== fail2ban.log shows 192.241.141.43 is banned

== Iptables shows 192.241.141.43 is banned

I thought that based upon the IP being blocked, that the malicious user would NOT be able to attempt a login.
Yet it seems that these users are indeed being able to attempt logins.

MY QUESTIONS, Please:

1. Does it appear that fail2ban is working?
2. Why are malicious users allowed to even attempt login if they are banned?

Many thanks !

===
=== Results from nmap scan

# Nmap 7.80 scan initiated Sat Jan 27 15:25:04 2024 as: nmap -sS -oG out.txt 

107.174.156.124

Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)   
Status: 
Up
Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)   
Ports: 
139/filtered/tcp//netbios-ssn///, 
445/filtered/tcp//microsoft-ds///, 
8888/open/tcp//sun-answerbook///    
Ignored State: closed (997)

# Nmap done at Sat Jan 27 15:25:06 2024 
-- 1 IP address (1 host up) scanned in 2.20 seconds

===
=== Here are my entries in jail.local

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 63xxx
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]

===
=== Here are my entries in fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

===
=== Here is sample Auth log

As example, there are several attempts by 192.241.141.43
And this is repeated almost every minute !

Jan 27 15:54:55 racknerd-64d010 sshd[2232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.141.43  user=root
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Failed password for root from 192.241.141.43 port 54798 ssh2
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Received disconnect from 192.241.141.43 port 54798:11: Bye Bye [preauth]
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Disconnected from authenticating user root 192.241.141.43 port 54798 [preauth]

===
=== Here is sample of fail2ban

As example, fail2ban says 192.241.141.43 is banned

2024-01-27 15:55:50,928 fail2ban.actions        [29992]: WARNING [sshd] 82.102.12.130 already banned
2024-01-27 15:55:50,929 fail2ban.actions        [29992]: WARNING [sshd] 192.241.141.43 already banned
2024-01-27 15:55:50,929 fail2ban.actions        [29992]: WARNING [sshd] 159.75.161.40 already banned

===
=== Results from Iptables scan

IP 192.241.141.43 is banned

    0     0 REJECT     all  --  *      *       61.231.64.170        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.241.141.43       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.250.34.177       0.0.0.0/0            reject-with icmp-port-unreachable