Just to scratch that itch, I created a little script that opens up some TCP ports of your choosing, and when activity is detected on those ports, takes the IP address interacting and performs some recon on the address, writes the results to an sqlite file, and slings it into a webhook if you like (mine is thrown into slack).
I thought I would look at two ports 5500 and 7443, one of those ports is for Cobalt Strike's managment control, and the other Sliver, what I wanted to see was if just having the port open was enough to find the IP address on a blacklist, I've ran it for close to 6 months, let's see what we can see...
(Bad) Code if you want it.
The root domains from the lookups show us over 6 months (ish) these two ports 50500 and 8888 have been touched over 2208 times minus 742 that have no domain attributed to their ops.
On the IP Address front we have 2208 IP addresses but 1096 unique addresses
Nothing super exciting in those IP addresses when crossrefrencing against dehashed.com's services
Anyway, to the point... it's been hit a fair few times, mostly re-hit.
perhaps because there is no service banner, or fingerprintable content to work with it appears much of the TI will ignore the ports, even tho they're very much in the 'probably badly configured C2' catagory
So we're left with a nice way to get an idea who's snooping without giving them a great deal to work with, I'm sure you could do something similar with TCPDump, but I suspect this might be lighter on the OS and able to add more features (sqlite, Webhooks)
You could use this as a dumb-dumb-dumb canary, but you'd be infinatly better off heading on over to Thinkst https://canary.tools and speak to those fine people. (Haroon was kind enough to send me an actual canary, and they are lovely, lovely UX, lovely client support, just brilliant) i wouldnt want this script to detract from the value of a beautifully built toolkit from Thinkst.