Tor Middle/Guard relay Debian

Good Bad ISPs
https://community.torproject.org/relay/community-resources/good-bad-isps/
I am running one relay at netcup and one at terrhost

Installation as root
$ su

SSH: Change the default port
$ sudo nano /etc/ssh/sshd_config
$ Port 22 mit dem gewünschten SSL Port Port xxx ersetzen und # entfernen nicht vergessen
Save and exit (CTRL+O, CTRL+X)
$ sudo service ssh restart

Install Fail2ban
$ sudo apt install fail2ban

Config fail2ban
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-debian-11

Install ufw firewall
$ apt install ufw
Config ufw
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10
allow all tor ports + ssh (new ssh port)

Install tor

Enable Automatic Software Updates
$ apt-get install unattended-upgrades apt-listchanges

Edit: /etc/apt/apt.conf.d/50unattended-upgrades
$ nano /etc/apt/apt.conf.d/50unattended-upgrades

Remove all before you add the lines below

Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=TorProject";
};
Unattended-Upgrade::Package-Blacklist {
};
Save and exit (CTRL+O, CTRL+X)

Update the file /etc/apt/apt.conf.d/20auto-upgrades with the following content
$ nano etc/apt/apt.conf.d/20auto-upgrades

add

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1";
Save and exit (CTRL+O, CTRL+X)

Update /etc/apt/apt.conf.d/50unattended-upgrades for automatic update
$ nano /etc/apt/apt.conf.d/50unattended-upgrades

add

Unattended-Upgrade::Automatic-Reboot "true";
Save and exit (CTRL+O, CTRL+X)

Update repository
$ apt install apt-transport-https

Create tor.list
$ touch /etc/apt/sources.list.d/tor.list

Edit tor.list
$ nano /etc/apt/sources.list.d/tor.list

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org main
Save and exit (CTRL+O, CTRL+X)
Replace with your Operating System codename.
Run lsb_release -c or cat /etc/debian_version to check the Operating System version.

Install gpg
$ apt install gpg

Then add the gpg key used to sign the packages by running the following command at your command prompt
$ wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Update and install tor debian keyring
$ apt update
$ apt install tor deb.torproject.org-keyring

Install tor
$ apt install tor

Edit torrc
$ nano /etc/tor/torrc

Nickname myNiceRelay # Change "myNiceRelay" to something you like
ContactInfo your@e-mail # Write your e-mail and be aware it will be published
ORPort 443 # You might use a different port, should you want to
ExitRelay 0
SocksPort 0
Save and exit (CTRL+O, CTRL+X)

My torrc

Nickname xxx
ContactInfo email: xxx fingerprint: xxx matrix: xxx
MyFamily xxx,xxx
ORPort 443
ControlPort 9051
DirPort 9034
RelayBandwidthRate 120 MBits
RelayBandwidthBurst 480 MBits
ExitRelay 0
SocksPort 0

6: Optional: Limiting bandwidth usage (and traffic)
Because i have 120TB bandwidth
I have 120TB 60TB for download and 60TB for uplaod
RelayBandwidthBurst is 4x RelayBandwidthRate
https://community.torproject.org/relay/setup/post-install/
Show Hosting Bandwidth Converter
https://www.calculator.net/bandwidth-calculator.html

Restart daemon
$ systemctl restart tor@default

Tor log
$ sudo journalctl -e -u tor@default
close log press q

Install nyx for monitoring
$ apt install nyx
use sudo as normal user
If you change torrc press 2*x for updating nyx

Backup tor identity keys

After your initial installation and start of the tor daemon it is a good idea to make a backup of your relay's long term identity keys. They are located in the "keys" subfolder of your DataDirectory (simply make a copy of the entire folder and store it in a secure location). Since relays have a ramp-up time it makes sense to back up the identity key to be able to restore your relay's reputation after a disk failure - otherwise you would have to go through the ramp-up phase again. Only do this if you have a very secure place for your keys as if stolen, these keys could theoretically allow traffic decryption or impersonation.
Default locations of the keys folder:

Debian/Ubuntu: /var/lib/tor/keys

Backup tor keys
$ sudo -su
$ cd /var/lib/
$ tar -cvf tor.tar.gz tor
$ mv tor.tar.gz tor ../../home/your_user
now you can download via ftp

Sources:

https://community.torproject.org/relay/setup/guard/debian-ubuntu/
https://community.torproject.org/relay/setup/post-install/
https://support.torproject.org/relay-operators/upgrade-or-move/
https://nyx.torproject.org/

Support:

Forum: https://forum.torproject.net/
Matrix: https://blog.torproject.org/entering-the-matrix/