block remote management for unauthorized addresses

I handle tech support for a small law firm but live about an hour away. Sometimes it's handy to have remote access to the office. For the past several years, I've been using Apple Remote Desktop in a way that I believed was configured securely. But now I'm not so sure. Short of looking at something like LogMeIn, I'd like to know if there's anything I can do to lock my connection down.

Here's the skinny on the setup. They have a Comcast Business Class SMC gateway and I've configured the DMZ to forward all traffic to an AirPort Extreme (802.11ac) that handles their in-office WiFi, DHCP, NAT, etc. That AirPort ports 3283 and 5900 mapped from the fixed public IP address to a fixed private IP address. That private IP address is for a Mac mini running OS X 10.11.4. I allow only one user account to remotely manage this station, and it has both a complex username and password which I periodically change. I'm the only one who knows what these login credentials are. Remote Management options do not allow for password-only VNC. As best as I can figure, that's as tight as I can make things.

Periodically, I remote in and do a netstat -n to look for any unwarranted connections. Recently, I started seeing what appeared to be failed attempts to VNC into the server. (I've removed all information from these screenshots that identifies the Mac in question or my own remote IP address -- where you see a white space under Foreign Address is my connection, so that line can be ignored):

So the private IP address for the Mac mini is 192.168.75.200, and you can see there is a port 5900 connection from 50.251.144.130 that reads as "SYN_RCVD". From what I can tell, that is a stage of VNC negotiation but doesn't indicate the client was able to make a connection. I figured this probably meant someone was trying to VNC into the Mac but didn't have the credentials to make it work. The other connections don't look bothersome. The 17.x.x.x traces back to Apple and the other ones are self-referencing.

Recently though, I came across this during one of my routine checks.

If I'm reading that right, it looks like 50.251.144.130 has successfully connected. That traces back to some Comcast connection in Atlanta. I rebooted the Mac immediately to disconnect it. Again, the other stuff doesn't look like a problem. The port 445 entries are in-office file sharing connections. The 107.20.183.123 lines go back to Amazon Web Services -- not sure what those are. Since they're port 80, maybe I had a web browser open on the Mac at the time -- can't remember. I suppose those could be malicious as well but none of them are pointing to port 5900 on the Mac.

Tonight, I came across multiple "closing" 5900 connections from 74.218.231.82. That traces back to mail.sylvancharlotte.com which I think may be a mail server for Sylvan Learning Center in Charlotte NC. I'm guessing this may be a compromised server that's being used to hammer random passwords at our Mac in an attempt to crack VNC.

Since I don't allow password-only VNC connections, the only way you should be able to remote into this Mac is by using the correct Mac username and password. But at least that one 50.251.144.130 connection has now got me concerned that someone's figured out a way around this limitation.

One thing I might like to do is restrict incoming Remote Management sessions to be accepted only by local IP addresses (192.168.75.x for when I'm in their office but not physically in front of the Mac) and by one public IP address which would be the one assigned to my Comcast router at home. If I could set that limitation, I could then feel that this public-facing connection is secure again. Or it'd be nice at least if I could blacklist bad IPs like these when I see them. But I can't seem to find that kind of option anywhere, at least in the GUI.

If this just isn't a safe setup any longer, someone tell me so. I'll look at LogMeIn or perhaps finally sit down and figure out how to setup a VPN server... just haven't taken the time to do that yet.