I am another that tunnels VNC over SSH. My SSH is configured to use a certificate, so no way to hack the password and I have fail2ban running to block IPs trying to get into my SSH. Three fails and you're blocked for an hour.
may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.
Once or twice I have had keyboard issues and have locked myself out (there is a "password" on the cert). I consider one hour enough punishment for myself. . If they continue to try to get in they get blocked all over again.