There's ways of running fail2ban as a non-root user. In order to do so, we need to expose user/group passed to start-stop-daemon in the conf.d. Here's the documentation for accomplishing a non-root fail2ban: https://github.com/fail2ban/fail2ban/blob/master/doc/run-rootless.txt
We don't use our own conf.d script - upstream provides that.