When I look in fail2ban status there is about 1100 bans

SYSTEM INFORMATION
OS type and version Ubuntu 20.04
Virtualmin version Latest

When I look at fail2ban status there is about 1100 banned ip. If I stop and start fail2ban there is no bans but 5 minutes later all the bans are back. I use Firewalld. Where can all this bans come from

Nefarious sources. :frowning:

You might see if you can recognize some patterns and start blocking by CIDR.

but if I empty fail2ban and they then all come back in 5 minutes they must come from somewhere

This is a performance issue with fail2ban and firewalled you can speed this up by changing your jails to use iptables or as I have done ditch fail2ban and firewalld and use something else

Use like what?

I coded my own so I have complete control of the firewall and banning process but you could use csf which may be better than firewalld/fail2ban

I have 2 other servers without any CP so I control them with ssh and there I have ufw and fail2ban and that works great. But it is probably simpler because its a pure email server that is very locked down.

Note no firewalld , to get a perfomance increase change you fail2ban jails to use iptables rather than the default firewalld this may be enough performance increase to stop the problem you are seeing

I have now CSF installed instead and we have to see. For now there is a positive change in performance. I will dig down into tutorials about CSF to finetune it more.