I did not enable recidive jail. I did not even know it exists - thank you for poining it out 
I looked at it and it analyzes fail2ban.log looking for bans(all services) and may ban ip for more time. But it does not increase ban time exponentially. It is very similar than [f2b-loop2] jail from my example.
Right now I am looking how to detect botnet attack with changing ips. Any ideas?
I’m getting failed attempts 45.143.223.12, 45.143.223.130, 45.143.223.20
What are the best practices for this situation? Better botnets may have totally different ip classes impossible to detect. Maybe integrating http://www.blocklist.de/ or something similar into system?
Are there any other ways to detect botnet?