I don't think so, but it's your server. I lost a machine to a telnet attack, just having the port open and the service available. No login occurred, at least not through the usual auth mechanisms.
I’m not saying it’s done widely, but it’s possible. The implementations I’ve seen are not ready for large scale primetime, but if you’re just hosting a BBS, how would it be different than an old dialup terminal?