Avoid unbaning an IP that is still banned by another jail.

[amorsent]

Fixes long term recidive bans being reversed after the shorter term ban expires.

[amorsent]

We have several jails defined. Most have a short ban time in the order of 5-10 min.
We also have the recidive jail catching repeat offenders and banning for much longer (a week).

We noticed that the recidive bans were being quickly undone when the shorter bans expire.

With the default iptables based action, this is not an issue because each jail has its own iptables chain and the bans/unbans from each jail are isolated.

However, since this action is sharing a single AWS IP set, the actions now conflict.

The sequence would look like this:

1. ... A series of bans have already taken place....
2. Short term Jail: "You're banned again for 5 min"
3. Recidive Jail: "You've been getting banned a lot, You're banned for 1 week!"
4. Short term Jail (5 min later): "Ok you've served your time, you're unbanned"

Technically the unbans from one jail will undo bans from any other jail - but it is most problematic for the recidive ban. The recidive ban is always triggered by another ban that will then expire in a few min, thus completely undermining the recidive jail.

My fix for this is to keep track of how many bans per IP and only remove them from the IPSet when the last one is lifted.
I'm using a file (/var/aws-fail2ban) to keep track of this. I don't have a preference on where this file sits so feel free to revise that.