Fail2Ban not adding IP to jail

I am receiving a lot (thousands) of messages like this but Fail2Ban is not adding it to any jail. If I add it manually (fail2ban-client set recidive banip then it is blocking it. But most of the attacks were made during the night so it is impossible to block them manually.

manager.c: tried to authenticate with nonexistent user 'root’
manager.c: failed to authenticate as 'root’
manager.c: tried to authenticate with nonexistent user 'cron’
manager.c: failed to authenticate as ‘cron’

FreePBX: 6.12.65-27
Fail2Ban: 0.8.14 (Latest available on repositories)


Configuration automatically generated via the Sysadmin Module

# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Thu, 28 Apr 2016 15:00:46 -0500

ignoreip =
bantime = 3600
findtime = 60000
maxretry = 3
backend = auto

enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/freepbx_security.log
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
logpath = /var/log/secure
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, protocol=tcp, port=http]
logpath = /var/log/httpd/error_log
enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
logpath = /var/log/vsftpd.log
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, protocol=all, port="http,https"]
logpath = /var/log/httpd/*access_log
# recidivist.
#  Noun: A convicted criminal who reoffends, especially repeatedly.
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 20


# Fail2Ban filter for asterisk authentication failures


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '[^']*' failed for '<HOST>:\d+' .+ No matching endpoint found$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: Friendly Scanner from <HOST>$

ignoreregex =

# Author: Xavier Devlamynck / Daniel Black
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
# First regex: channels/chan_sip.c
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

Watch this ticket: