diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index ee0954d5c..85c069dda 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -5,7 +5,7 @@
 
 # Set some basic hardening options for all connections
 Host *
-        # Disable Roaming as it is known to be vulnerable
+        # Disable undocumented roaming feature as it is known to be vulnerable
         UseRoaming no
 
         # Only use secure crypto algorithms
@@ -13,15 +13,19 @@ Host *
         Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
         MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
-        # Always visualise server host keys (but helps to identify key based MITM attacks)
+        # Always visualise server host keys (helps to identify key based MITM attacks)
         VisualHostKey yes
 
         # Use SSHFP (might work on some up-to-date networks) to look up host keys
         VerifyHostKeyDNS yes
 
-        # send keep-alive messages to connected server to avoid broken connections
+        # Send SSH-based keep alive messages to connected server to avoid broken connections
         ServerAliveInterval 10
-        ServerAliveCountMax 6
+        ServerAliveCountMax 30
+
+	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
+	# keep alive messages enabled; there is no need to do things twice here
+	TCPKeepAlive no
 
         # Ensure only allowed authentication methods are used
         PreferredAuthentications publickey,keyboard-interactive,password
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index 456556540..76c9b3eb1 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -46,11 +46,13 @@ AllowTcpForwarding no
 AllowAgentForwarding no
 PermitOpen none
 
-# Detect broken sessions by sending keep-alive messages to clients via SSH connection
+# Send SSH-based keep alive messages to connected clients to avoid broken connections
 ClientAliveInterval 10
+ClientAliveCountMax 30
 
-# Close unresponsive SSH sessions which fail to answer keep-alive
-ClientAliveCountMax 6
+# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
+# there is no need for this to be enabled as well
+TCPKeepAlive no
 
 # Add support for SFTP
 Subsystem	sftp	/usr/lib/openssh/sftp-server