[Transferred to discord] Help needed with debug

Dear all,

some bad guys keep returning to my servers despite they (supposedly) had been banned.
One example:

oracle-2:~# cscli decisions list
╭─────────┬──────────┬────────────────────┬───────────────────────────┬────────┬─────────┬─────────────────────────────────────────────────┬────────┬─────────────────────┬──────────╮
│   ID    │  Source  │    Scope:Value     │          Reason           │ Action │ Country │                       AS                        │ Events │     expiration      │ Alert ID │
├─────────┼──────────┼────────────────────┼───────────────────────────┼────────┼─────────┼─────────────────────────────────────────────────┼────────┼─────────────────────┼──────────┤
│ 1050449 │ crowdsec │ Ip:183.15.207.251  │ crowdsecurity/ssh-slow-bf │ ban    │ CN      │ 4134 Chinanet                                   │ 14     │ 22h25m58.183466833s │ 519      │
│ 1050448 │ crowdsec │ Ip:23.224.55.113   │ crowdsecurity/ssh-slow-bf │ ban    │ US      │ 40065 CNSERVERS                                 │ 11     │ 21h37m46.971431366s │ 518      │
│ 1035447 │ crowdsec │ Ip:109.205.56.166  │ crowdsecurity/ssh-slow-bf │ ban    │ HK      │ 56971 Cgi Global Limited                        │ 16     │ 20h19m45.728889268s │ 516      │
│ 1035446 │ crowdsec │ Ip:64.227.132.252  │ crowdsecurity/ssh-bf      │ ban    │ IN      │ 14061 DIGITALOCEAN-ASN                          │ 8      │ 19h37m41.282421325s │ 515      │
│ 1005437 │ crowdsec │ Ip:118.194.250.218 │ crowdsecurity/ssh-slow-bf │ ban    │ TH      │ 135377 UCLOUD INFORMATION TECHNOLOGY HK LIMITED │ 16     │ 15h47m59.048679693s │ 504      │
│ 1005436 │ crowdsec │ Ip:51.136.59.40    │ crowdsecurity/ssh-slow-bf │ ban    │ NL      │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK                │ 13     │ 15h8m22.280716181s  │ 503      │
│ 1005435 │ crowdsec │ Ip:47.236.226.131  │ crowdsecurity/ssh-slow-bf │ ban    │ SG      │ 45102 Alibaba US Technology Co., Ltd.           │ 12     │ 14h52m24.983084102s │ 502      │
│ 990434  │ crowdsec │ Ip:64.227.184.109  │ crowdsecurity/ssh-bf      │ ban    │ IN      │ 14061 DIGITALOCEAN-ASN                          │ 8      │ 14h31m23.529697213s │ 500      │
│ 990392  │ crowdsec │ Ip:67.140.77.53    │ crowdsecurity/ssh-bf      │ ban    │ US      │ 7029 WINDSTREAM                                 │ 7      │ 14h13m29.217197835s │ 458      │
╰─────────┴──────────┴────────────────────┴───────────────────────────┴────────┴─────────┴─────────────────────────────────────────────────┴────────┴─────────────────────┴──────────╯
91 duplicated entries skipped

The guy at 64.227.184.109 was first discovered today at 03:51 AM, however he was able to nag me until 04:46 AM.

As I understand crowdsec, the IP should have been banned when it created the first alert. How is it then possible that the same IP keeps re-occurring? In total, the IP has been banned for 124 times this morning. (All 124 times, he has been banned for ssh misbehavior).

How can I find out why this IP still had access to my port 22?

Would anybody please enlighten me and give me a hand?

Kind regards,