We saw only about 5 failed logins with odd user names.
That is what happens with attempted hacks. Example below from my email server.
Code:
2019-12-16 16:08:58 -0500 02 mail SMTP-IN:00001DAD: Authentication error for user 'cholecystitis@verhyden.org': Account not found locally
I can get hundreds every day just on my email server. If I look at my USG I get many times that. But that's the nature of the game when you provide services.
You said the password was not very complex. Brute force is a matter of pure statistics. As
@Sky-Knight mentioned this stuff is all automated, with a database behind it. The black hats find an IP, launch a demon pointing to it and wait for a success notice. Part of what they do is start with the common password variants. Like password%%%%%, welcome%%%%, letmein%%%%%, techsupport%%%%, etc. And they probably start their iterations at 6 characters or so in the password brute force. Saves them a little time.
Were they all from the same IP address? Given you only had 5 in 17 hours, assuming you filtered the log file properly, then it's doubtful anyone got in. But this is risk management so it's really up to each person to determine what they are and are not comfortable with. Did you look at the users list to see if a user has been added? Run the best practices on the server to see if something shows up? The list goes on forever.
The problem is a networking issue not a server issue per se. Your edge device, router, is the gateway, literally. By default NAT acts as a firewall. Internet design does not allow traffic to pass from a public IP to a private IP range unless it's allowed at the interface. In the design there are two scenarios to allow traffic. Traffic that is initiated from the inside, say going to google.com, always allows return traffic unless there are restrictions implemented. What we are talking about, in your case
@pcpete is "unsolicited traffic". Someone randomly knocking at the door. By default all devices block that unless it's specifically allowed. As in port forwarding, DMZ, etc.
In simple terms never, ever do any kind of port forwarding, DMZ, etc, etc unless you completely understand the consequences. That the ISP provides the VPN I'd talk to them about whitelisting MAC addresses if you can't do that directly on the edge device. This is a way to block black hats. If they are not providing any services to the public, like a website, it should be simple. Not perfect of course. Remember that the vast majority of breaches involve PEBKAC failures which start on the inside with unlimited outside access unless otherwise blocked.