No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
USB "card reader" for SD
(microSD doesn't appear to have a read-write switch).
You can insert the SDHC in something that looks like a flash drive, then insert the whole in a USB slot.
Or, you can use something like the Adonics eSATA/USB Digidrive
to connect to your computer's eSATA port (if you have such a port on the back of your computer),
which is probably more efficient (fewer waits) than a USB 3.0 connection.
In Linux, you might choose to put most of your operating system on SDHC switched to read-only,
then put a variable area on a regular disk drive for logs, although you can put logs into a memory area that disappears on reboot.
Or you might put your webpages on a separate SDHC,
so your webpages get no intrusion changes.
You could then unmount your webpage SDHC, switch to read-write, make changes, unmount, switch to read-only.
In Debian Linux, the foundation for most Linuxes (eg, Ubuntu), you can look at the "Securing Debian Manual",
Debian has a highly tailored Aide (like tripwire) that uses checksums to detect any file changes.
In Debian, "dar" Disk Archiver (like tar) makes backups on external disk drives, but dar probably requires some tailoring (I use dar).
For a firewall, you could use Debian's easily used Guarddog.
In some sense, Debian is the administrator's operating system -- for the serious.