Unhackable server?

I'm not sure if this is the right website to post this on, but there is a hacking section so here goes..

My general understanding of how hacking a server works is this;

The hacker finds a way to act like he is the admin or finds a loophole in the software / hardware that lets him remotely change things he shouldn't be able to.

If this is correct (and it probably isn't), would it be possible to make a hack proof server? So for example one that is strictly read only, even if you are an admin. Then it would be impossible to hack it right? Or if you somehow had a read only hardware setup, could they hack that?

By 'hack' i don't mean access data they shouldn't, i mean change data they shouldn't.

Let me know what you guys think, and maybe educate me a little. 

Is it possible? Yes. Well... no, probably not. Depends!

I could run a server on my Arduino that serves up the contents of a mask ROM chip. There is no software hack which could change the data stored on the ROM. It simply can not be written to. But if someone REALLY wanted to hack this thing, they could do hardware modifications to the device. Of course, that is not a software hack, and it definitely wouldn't be possible without physical access, so I guess it just depends how far the hacker is willing to go.

If you only have simple tasks to do it is possible but the more complicated it gets the higher your risk of creating functions that could be exploited becomes.

Nowadays most software is so complicated that it just simply becomes unfeasible to make it "hacking proof" you rather try to make a hack complicated and thus unlikely because full prevention is almost impossible anyway.

Also as said earlier there are different levels you have to defend against and total security is almost impossible if you have to assume the attacker will access hardware physically you can no longer grantee for any security on your system.

If it's connected to the internet, odds are someone, somewhere can hack it.

Only way to secure a server against 'hacking' outright? Non-internet connected network of devices, in a physically secure area.

Even then its possible for example look at Stuxnet they had a air gap and a physically secure are as well. Still they got hacked.

I'm going to assume you mean a remote hacker, since if someone has physical access to the box it's game over already unless you're willing to do some crazy stuff.

If you were really really paranoid you could burn the data that you don't want to be tampered with (which sounds like your main concern) to a CD or DVD-ROM and then read it from there, but the read times of that would be super slow. You could put it all onto a separate partition that was mounted read-only, but if someone gained root access to the machine they would be able to re-mount it in read-write mode. Maybe an SD card might be a good idea since they have switches on the side to put them into read-only mode. 

But the best thing to do is to prevent anyone getting into the box in the first place and for that the best piece of advice I have is run the minimum amount of stuff on the machine as possible. If all you're doing is serving static html, then the only services you need exposed to the outside world are sshd and your webserver program of choice (assuming linux here because it's what I know). Don't go and install some random chat server on there because it would be 'fun to play with' since that will give any hacker another attack vector. You could also put in some firewall rules so that only certain ip addresses can access sshd, leaving only the webserver exposed to the outside world. 

That's because of poor physical security. Can't have unscreened media going into your secure network (eg. CD/DVDs and USB drives). That is the only way to infect an air-gapped network.

Also, Stuxnet was a virus with a very specific purpose, targeting very specific equipment, rather than a 'hacker', who might delete/steal files, run BTC on your network, etc.

The just running around and trying stuff out method of hacking is no longer working on top levels like the one stuxnet had been performed on. 

Also you have to keep in mind that keeping stuff out of your network is impossible if the other party really invests in getting it done. And screening Media even on high levels of security is a joke you can still hide data on parts of a drive that aren't usually accessible or the like. Only way to really prevent it is to just not allow anything that is able to transport data in your complex which nowadays gets kinda hard.