You're correct, the changing port number means intrusions from the same real source aren't always recognised as such.
Although you can change the behaviour by clearing LGI_BRK_TERM, the source is then listed as you've shown "Node::TELNET_AC103B05". The hex string is an encoded IP address. Unfortunately TELNET protocol does not include the source username, so the intrusion looks the same for all attempts from the same NODE, regardless of the source user.
This means a single user can drive the node into INTRUDER status, and block connections from ALL users coming from that node. This might not be a problem, for example, if all your incoming telnet sessions are from PCs. But it WILL be a problem in some environments.
If you're going to clear LGI_BRK_TERM, it may be worth thinking about increasing LGI_BRK_LIM (ie: the threshold for a suspect becoming an intruder). Setting it up from the default of 5 to (say) 25, will reduce the chances of a single user with a bad memory blocking access from the whole node (5 retries is "reasonable", but I'd question the sanity of anyone who retries a password 25 times!). Sure this slightly reduces your protection against brute force attacks on your system, but then with half decent password policies, there's not much different between a dictionary attack of 5 and one with 25.
A crucible of informative mistakes
