• Create a firewall rule to block (or only allow) port 5900 accesses from the internet for a single or small range of IP's.
Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through. -- Don't feed trolls--it only makes them grow!
Bottom line is that all those entries were probes and attempts but not actual access. Correct? and a 63 char random password like I use for my wireless key would be as secure as it could get other than using other ways like mentioned above?