My server uses this sysctl.conf
It's for openbsd, though. I think gnu+linux don't have a securelevel equivalent and don't have the xf86 aperture driver...
If you know any other trick on sysctl to tight the security, let me know.
If you are this paranoid, you could actually just lock the server:
- remove the user from wheel, so he can't access the "su";
- remove the user from sudo groupd or "doas";
- modify your /etc/fstab to mount all the filesystems as read-only and with all 4 flags: noexec, nodev, nosuid and noatime
- use root to turn all files immutable using chflags: # chflags -R schg /.
- use the securelevel to 2;
- remove the "secure" flag from all tty's and from console on /etc/ttys so that root can't access the system anymore and the system will ask for password when entering single-user mode;
Done. Now, only the user have the permission to enter on the system, and any files can be modified, so no intrusion attacks. Could still deanonymise you or cause denial of service. The offender could exploit some buffer overflow, but if your memory is encrypted (like with W^X) you don't need to worry. The only possible attacks I can see would be a hardware attack, like with Intel AMT, ring 0 priviledges on x86, rowhammer and the side channel attackes. Besides that, I can't see how someone would exploit this system to, say, put some backdoor.
Of course, this is highly impractical, since you would need to reinstall all the server if some update is needed. But for a hidden service of a imageboard, I think this could be practical since you don't need maintainance and you can access the web interface as admin to moderate. There's also the possibility to synchronized the databased used by your site using some distributed filesystem like tahoe-lafs, and spread many servers. So, if one server is down, the other automatically server the page again. If you have enough boards, it would be very difficult to remove the website from the net. Could do it using arm development board, for example.
Just some random thoughts, don't listen to a schizophrenic.