I use fail2ban and a jail specifically for vnc. You can read about it at the URL below.
You should be able to set it up yourself with my OSX specific modifications.
FWIW, I get a ton of vnc access attempts.
a simple approach is to change your VNC port so it's not hit by automated explot scripts.
many routers make this simple, they let you remap the public port to a different internal port
55455 -> 5900
Then from mac
You can't count on this to protect you from a knowledgeable attacker with a purpose/mission directed at your organization.. but it does simply hide you from the auto-hacks, which are 99% of the problem