How to properly make an ssh bastion with fail2ban in a Docker container


I’m in the process of making an ssh bastion (with fail2ban for security) in a Docker container. The container will serve no other purpose than being an ssh bastion and will serve to access bound volumes via sshfs.

Currently, I’m using what I suspect is a very poor method.
My Dockerfile:

  1. pulls the latest debian stable-slim image,
  2. installs ssh and fail2ban via apt,
  3. adds users, sshd_config and fail2ban jails,
  4. then specifies a wrapper bash script in which I unconditionally start ssh and fail2ban with custom configuration paths in /app

It works, with some caveats (no /var/log/auth.log for fail2ban to eat so quite a bit of configuration twisting there), but I feel I’m doing it wrong.

The problem is it’s super hard to find information regarding how to properly do what I’m trying to do. There are endless pages listing how to ssh into a container for debugging, backup etc. There are also some interesting pages about why you shouldn’t ssh into a container. But I haven’t found the holy grail page of “this is how you properly setup an ssh bastion with fail2ban in a Docker container”. Does it even exist? Or am I right to do it the way I am?