You can protect API with webserver basic auth and SSL, `curl` can handle it directly from command line (something like `https://login:email@example.com/list/sshd/1`). To do it bind container to 127.0.0.1 instead of 0.0.0.0 and proxy from nginx or other webserver you love.
## All your servers
At first step install fail2ban into your OS. How to do it you already know because you are sysadmin.
Next step add line to `/etc/fail2ban/action.d/iptables-multiport.conf`