The basic issue is that telnet only knows the address from which a login is attempted, not the source username.
So, all login attempts from the same terminal server appear to be the same source (same IP address). With many users logging in, it's easy to exceed the default intrusion limits and assume the system is under attack. Remember, these are DEFAULTS. There's nothing magic about them. They can, and should, be adjusted to suit local requirements. See MCR SYSGEN HELP/LGI to see all the parameters you can adjust to control how the system behaves.
As Hoff has suggested, changing LGI_BRK_TERM might help. It causes the terminal name to included in the source string. BUT the downside is it means a true breakin won't necessarily be detected, as each new connection from an IP address will generate a new terminal name, hence multiple attempts won't be associated and the attempts added together to detect an intrusion. A dictionary attacker can just keep feeding in attempts. They'll generate lots of suspects, but, if they know what they're doing, will never push the system into intrusion.
An alternative is to increase LGI_BRK_LIM from the default of 5. With the default setting, five failed login attempts in a 5 minute period will lock out the whole server. Depending on your pattern of logins, and the level of users, this could easily be exceeded at start of day, just from fumble fingered users.
Increasing the value to (say) 3x the number of users on the terminal server may raise the limit high enough that you don't ever lock out the server. For a 16 port terminal, that means LGI_BRK_LIM=48. So, we should reduce, or eliminate the instances of server lockout, but you still have protection against brute force dictionary attacks, which is what intrusion detection is really about. What are the chances of a dictionary attack succeeding in under 50 attempts against an OpenVMS account with even the most lax password rules?
Long term, keep an eye on the output of SHOW INTRUSION, especially at peak login times, to see the real "highwater" marks for suspects. You may be able to reduce LGI_BRK_LIM to find the best balance between keeping your system secure, and not blocking legitimate logins.
(and I concur with Hoff about SYSUAFs and other cluster environment files. Take the time to merge them together into a single set of files, physically shared across the cluster - this will avoid MANY problems down the track).
A crucible of informative mistakes
