I would check the VNC access with fail2ban as well as I did for SSH .... is it possible ?
Is it okay to add these lines in jail.local after [ssh] jail ?
enabled = true
vnc port = 5900
filter = vnc
logpath = /var/log/auth.log
maxretry = 3
filter = vnc ?
VNC also uses /var/log/auth.log ?