The default behavior of fail2ban adding an offending ip address to iptables doesn’t do much if the website is protected by Cloudflare ServerShield which proxies the requests to Plesk server.
Please consider adding the capability whereby if fail2ban is activated on a Plesk server and a hosted website is protected by Plesk Cloudflare ServerShield extension, an offending IP address should also be added via a cloudflare api call to cloudflare firewall rules for the affected website. This way the Plesk server is protected at a minimum for that website which might be under a DoS attack.