* ROOT account: No logins, create another account which can only be locally logon to, which can sudo. Password 16 chars, potentially automatically rotating. Possibly also having 2 factor authentication. You can trivially create this step by even creating a PHP Script as the shell
The only advantage of this is that it is harder to guess the username?
* Watch logins: More than 2-5 failed logins, shut the system down immediately using "magic" SYSRQ, wrong username? Instantly
Sounds like a nice way to disable your system remotely
* Full disk encryption, on top of which potentially using a bit obscure filesystem to make it that much harder to break. The required data should have 2nd level encryption unless doing that creates a potential attack vector on the first level encryption
How does the machine boot after a power outage?