diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..8e941b1
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,45 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssh-dev
+
+    - name: Build
+      run: make
+
+    - name: Build with AddressSanitizer
+      run: make asan
+
+    - name: Run tests
+      run: |
+        make test
+        cd tests
+        ./test_security_features.sh
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to production
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          script: |
+            cd /home/admin/repo/tnt
+            git pull origin main
+            make clean && make release
+            cp tnt /home/admin/tnt/tnt
+            sudo systemctl restart tnt
diff --git a/src/ssh_server.c b/src/ssh_server.c
index 970ed18..15c0c40 100644
--- a/src/ssh_server.c
+++ b/src/ssh_server.c
@@ -805,8 +805,9 @@ void* client_handle_session(void *arg) {
         int n = ssh_channel_read_timeout(client->channel, buf, 1, 0, 30000); /* 30 sec timeout */
 
         if (n == SSH_AGAIN) {
-            /* Timeout - check if channel is still alive */
-            if (!ssh_channel_is_open(client->channel)) {
+            /* Timeout - send keepalive to prevent NAT/firewall timeout */
+            if (!ssh_channel_is_open(client->channel) ||
+                ssh_send_keepalive(client->session) != SSH_OK) {
                 break;
             }
             continue;