I use Fail2ban. I configured it to block malicious attacks like SQL injection, 403, 404, URL scanners, and shellshock vulnerability. Once fail2ban blocks the IP address, it passes to Cloudflare IP access rules.
Sometimes Fail2ban blocks Google and Bing bot IPs (false positive). Periodically Google and Bing update the IP address. The easiest way to whitelist these search engine bots is via the Cloudflare IP access rule (using a simple script to pass search engine bot IP via Cloudflare API). It is hard to automatically whitelist these IP addresses from fail2ban.