I'm new to fail2ban, so please ignore any ignorance...

I installed fail2ban 2 weeks ago on a centOS host that is an asterisk (VOIP) server that needs to have UDP port 5060 open to the internet. Unfortunately this means that there are a LOT of brute-force hacking attempts. After installing fail2ban, it seemed that it worked with my limited testing. Unfortunately it doesn't seem to catch all of the attempts or does not react quickly enough for it to block out significant attacks. For example, I have a foreign host that probed it 6000+ times over a period of 20+ minutes before being blocked. In my testing, it had locked me out when trying to register after 5 unsuccessful attempts.

So my question is: why did it allow so many attempts before blocking 91.121.39.244?

Some interesting info:
6000+ invalid attempts were made
It appears that the last attempt logged in /var/log/asterisk/full was at 2010-11-29 05:15:25
The host wasn't banned until 2010-11-29 05:40:29,210

Help is appreciated!
- Aaron

FAIL2BAN LOG
================
2010-11-29 04:02:12,086 fail2ban.filter : INFO   Log rotation detected for /var/log/asterisk/full
2010-11-29 05:40:29,210 fail2ban.actions: WARNING [asterisk-iptables] Ban 91.121.39.244

FAIL2BAN E-mail
=================
Hi,

The IP 91.121.39.244 has just been banned by Fail2Ban after
6907 attempts against ASTERISK.

fail2ban asterisk.conf
=================
 Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

jail.conf
==================
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.10.1/24

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

##......other jails removed...

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=aaron@mycommunitynet.net, sender=fail2ban@voice.aboutimpact.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200


ASTERISK LOGS
=======================

...it started by searching for valid extensions...

<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:07 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:07 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:07 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-407373909;received=91.121.39.244;rport=5069
2010-11-29 04:44:07 NOTICE[3006] chan_sip.c: Registration from '"3555318469"<sip:3555318469@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:07 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:07 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:07 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-3784721882;received=91.121.39.244;rport=5069
2010-11-29 04:44:07 NOTICE[3006] chan_sip.c: Registration from '"123"<sip:123@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:07 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:07 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:07 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-1074930351;received=91.121.39.244;rport=5069
2010-11-29 04:44:07 NOTICE[3006] chan_sip.c: Registration from '"1234"<sip:1234@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:07 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:07 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:07 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2459551551;received=91.121.39.244;rport=5069
2010-11-29 04:44:07 NOTICE[3006] chan_sip.c: Registration from '"12345"<sip:12345@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:08 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:08 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:08 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-3742758567;received=91.121.39.244;rport=5069
2010-11-29 04:44:08 NOTICE[3006] chan_sip.c: Registration from '"123456"<sip:123456@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:08 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:08 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:08 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-3315828928;received=91.121.39.244;rport=5069
2010-11-29 04:44:08 NOTICE[3006] chan_sip.c: Registration from '"test"<sip:test@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch
<-- SIP read from 91.121.39.244:5069: 
2010-11-29 04:44:08 DEBUG[3006] acl.c: ##### Testing 91.121.39.244 with 192.168.10.0
2010-11-29 04:44:08 DEBUG[3006] chan_sip.c: Target address 91.121.39.244 is not local, substituting externip
2010-11-29 04:44:08 VERBOSE[3006] logger.c: Transmitting (NAT) to 91.121.39.244:5069:
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-3571638755;received=91.121.39.244;rport=5069
2010-11-29 04:44:08 NOTICE[3006] chan_sip.c: Registration from '"sip"<sip:sip@192.168.100.204>' failed for '91.121.39.244' - Username/auth name mismatch


...and continued on to finding valid extensions and trying passwords...

2010-11-29 05:15:17 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:17 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:17 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:18 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:19 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:19 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:19 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:20 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:20 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:20 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:20 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:20 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:21 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:21 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:22 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:22 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:23 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:23 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:23 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:24 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password
2010-11-29 05:15:25 NOTICE[3006] chan_sip.c: Registration from '"604" <sip:604@192.168.100.204>' failed for '91.121.39.244' - Wrong password